CVE-2025-64481
📋 TL;DR
Datasette versions 0.65.1 and below, and 1.0a0 through 1.0a19 contain an open redirect vulnerability where requests to paths starting with double slashes (//example.com/) redirect users to external URLs. This allows attackers to redirect users to malicious sites while appearing to come from the legitimate Datasette instance. All users running affected versions with internet-facing deployments are vulnerable.
💻 Affected Systems
- Datasette
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect users to phishing sites that steal credentials or deliver malware, potentially compromising user accounts and systems.
Likely Case
Attackers use the redirect for phishing campaigns, tricking users into visiting malicious sites while appearing to come from a trusted Datasette instance.
If Mitigated
With proper proxy controls or patching, the redirect is blocked or fixed, preventing exploitation.
🎯 Exploit Status
Exploitation is trivial - simply crafting a URL with double slashes triggers the redirect. No authentication or special privileges required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.65.2 or 1.0a21
Vendor Advisory: https://github.com/simonw/datasette/security/advisories/GHSA-w832-gg5g-x44m
Restart Required: Yes
Instructions:
1. Update Datasette to version 0.65.2 or 1.0a21 using pip: 'pip install --upgrade datasette==0.65.2' or 'pip install --upgrade datasette==1.0a21'. 2. Restart the Datasette service.
🔧 Temporary Workarounds
Proxy URL normalization
allConfigure reverse proxy (nginx, Apache, etc.) to normalize double slashes to single slashes in incoming URLs
For nginx: location / { rewrite ^//(.*)$ /$1 permanent; }
For Apache: RewriteRule ^//(.*)$ /$1 [R=301,L]
🧯 If You Can't Patch
- Implement the proxy workaround to normalize // to / in URLs
- Restrict access to Datasette to trusted networks only using firewall rules
🔍 How to Verify
Check if Vulnerable:
Test by accessing your Datasette instance with a URL like https://your-datasette.example.com//external-site.com/. If it redirects to the external site, you're vulnerable.Check Version:
datasette --versionVerify Fix Applied:
After patching, test the same URL - it should not redirect to an external site and should return a 404 or proper response.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '//' in the path
- 301/302 redirect responses to external domains
Network Indicators:
- HTTP redirects from Datasette to unexpected external domains
SIEM Query:
url:*/\/\/* AND (response_code:301 OR response_code:302)