CVE-2025-60935 – An open redirect vulnerability in Blitz Panel v... (How to Fix)

Q: What is the severity of CVE-2025-60935?

CVE-2025-60935 has a CVSS score of 6.1 (MEDIUM). An open redirect vulnerability in Blitz Panel v1.17.0 allows attackers to redirect authenticated users to malicious domains via crafted URLs. This affects all users of the vulnerable version and could lead to phishing attacks or token theft after successful login.

📋 TL;DR

An open redirect vulnerability in Blitz Panel v1.17.0 allows attackers to redirect authenticated users to malicious domains via crafted URLs. This affects all users of the vulnerable version and could lead to phishing attacks or token theft after successful login.

💻 Affected Systems

Products:

Blitz Panel

Versions: v1.17.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the login endpoint with next_url parameter manipulation.

📦 What is this software?

Blitz by Returnfi

View all CVEs affecting Blitz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal authentication tokens or credentials via phishing sites, leading to account compromise and potential lateral movement.

🟠

Likely Case

Users redirected to phishing sites that harvest credentials or install malware.

🟢

If Mitigated

Redirects blocked or users warned about external domains, preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (clicking link) but is trivial to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Monitor GitHub repository for updates.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to only allow relative URLs or trusted domains in next_url parameter.

Modify login endpoint code to validate next_url against whitelist

Remove Redirect Parameter

all

Disable or remove the next_url parameter functionality entirely.

Modify login endpoint to ignore next_url parameter

🧯 If You Can't Patch

Implement WAF rules to block malicious redirect patterns in login requests.
Educate users about phishing risks and implement URL warning banners.

🔍 How to Verify

Check if Vulnerable:

Test login endpoint with next_url parameter set to external domain like https://evil.com.

Check Version:

Check Blitz Panel version in admin interface or configuration files.

Verify Fix Applied:

Verify redirects only occur to trusted/internal domains after implementing validation.

📡 Detection & Monitoring

Log Indicators:

Login requests with external domains in next_url parameter
Unexpected redirects after authentication

Network Indicators:

Outbound connections to suspicious domains immediately after login

SIEM Query:

source="web_logs" AND uri="/login" AND query_string="*next_url=*" AND NOT query_string="*next_url=/"

📊 Metadata

CVE ID: CVE-2025-60935

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-601

EPSS Score: 0.09% exploit probability (25.1th percentile)

Published: December 24, 2025

Last Updated: January 15, 2026

🔗 References

https://gist.github.com/HEXER365/2e866b47d56585e1e59e7c16bf4b4db7 Third Party Advisory
https://github.com/ReturnFI/Blitz Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60935, you might also want to check these: