CVE-2025-65581
📋 TL;DR
An open redirect vulnerability in Volosoft ABP Framework's Account module allows attackers to redirect users to malicious external websites by manipulating the returnUrl parameter during registration. This affects all applications using ABP Framework versions 5.1.0 through 10.0.0-rc.1. Users could be tricked into visiting phishing sites or downloading malware.
💻 Affected Systems
- Volosoft ABP Framework
📦 What is this software?
Abp by Volosoft
Abp by Volosoft
⚠️ Risk & Real-World Impact
Worst Case
Users redirected to sophisticated phishing sites that steal credentials or deliver malware, leading to account compromise, data theft, or ransomware infection.
Likely Case
Users redirected to phishing pages attempting to steal login credentials or personal information, potentially leading to account takeover.
If Mitigated
Users see warning messages or are blocked from external redirects, preventing successful phishing attacks.
🎯 Exploit Status
Attack requires user interaction (clicking a crafted registration link) but is trivial to execute once the malicious URL is created.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.0-rc.2 or later
Vendor Advisory: https://github.com/abpframework/abp/commit/44a2dc14e933f3ce1ca93f9313d836694ab77d1d
Restart Required: Yes
Instructions:
1. Update ABP Framework to version 10.0.0-rc.2 or later. 2. Rebuild and redeploy your application. 3. Restart application services.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side validation to reject returnUrl parameters containing external domains
Implement custom validation in AccountController.Register method to check returnUrl against allowed domains
URL Whitelist
allRestrict returnUrl to only allow relative URLs or specific trusted domains
Configure URL validation to only permit returnUrl values starting with '/' or specific approved domains
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests with external URLs in returnUrl parameter
- Monitor logs for suspicious redirect patterns and implement user education about phishing risks
🔍 How to Verify
Check if Vulnerable:
Test by attempting registration with returnUrl parameter set to external domain like https://evil.comCheck Version:
Check package version: dotnet list package Volo.Abp.* or examine project dependenciesVerify Fix Applied:
After patching, test with same external URL - should be blocked or sanitized📡 Detection & Monitoring
Log Indicators:
- HTTP 302 redirects to external domains from registration endpoints
- Unusual spikes in /Account/Register requests with returnUrl parameters
Network Indicators:
- Outbound connections to suspicious domains following registration requests
SIEM Query:
source="web_logs" AND uri_path="/Account/Register" AND query_string="*returnUrl=http*" | stats count by src_ip