Critical Open Redirect Vulnerability Puts OAuth Login Flow Under Threat

A critical open redirect vulnerability in the authentication callback and login page allows attackers to redirect users to phishing sites after successful OAuth login. Two endpoints accept a user-controlled redirect parameter and pass it directly to `NextResponse.redirect()` without validation, enabling silent redirection to attacker-controlled domains. The vulnerability carries zero prerequisite conditions beyond a valid OAuth flow, meaning it is actively exploitable today.

The issue stems from the application accepting user-supplied redirect targets without sanitization or allowlist validation. An attacker can craft a URL such as `yourapp.com/auth/callback?next=//evil.com`, tricking users into believing they are clicking a legitimate link. The victim passes through real Google OAuth authentication on the authentic domain, reinforcing trust before being redirected to a look-alike page that requests "additional verification" or a password re-entry. The user has no reason to suspect compromise because the entire initial interaction occurred on the legitimate domain.

Open redirects are classified in the OWASP Top 10 under Unvalidated Redirects and Forwards, a well-documented attack vector frequently employed in credential phishing campaigns. Organizations relying on the affected authentication flow face elevated phishing risk, particularly through social engineering that exploits trust in seemingly safe login URLs. The vulnerability requires immediate implementation of redirect target allowlisting or strict domain validation before `NextResponse.redirect()` is called. Security teams should audit all authentication-related endpoints for similar patterns.