CVE-2026-25198
📋 TL;DR
This CVE describes an open redirect vulnerability in web2py web framework. Attackers can craft malicious URLs that redirect users to arbitrary external websites when clicked. All users of affected web2py versions are vulnerable to phishing attacks through this mechanism.
💻 Affected Systems
- web2py
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Users are redirected to sophisticated phishing sites that steal credentials or deliver malware, leading to account compromise or system infection.
Likely Case
Users are redirected to phishing pages attempting to steal login credentials or personal information.
If Mitigated
With proper user awareness training and browser security settings, users may recognize suspicious redirects before entering sensitive information.
🎯 Exploit Status
Open redirect vulnerabilities are commonly exploited in phishing campaigns and require minimal technical skill to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.27.1-stable+timestamp.2023.11.16.08.03.57
Vendor Advisory: https://github.com/web2py/web2py/releases
Restart Required: Yes
Instructions:
1. Update web2py to latest version from GitHub releases. 2. Restart your web2py application. 3. Verify the fix by checking the commit b4e1ddbd6d40fb30863f6263a67bcdf411a0c6df is present.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to reject URLs with external domains in redirect parameters
Content Security Policy
allImplement CSP headers to restrict redirect destinations
🧯 If You Can't Patch
- Implement WAF rules to block requests with suspicious redirect parameters
- Educate users about phishing risks and how to identify suspicious URLs
🔍 How to Verify
Check if Vulnerable:
Check web2py version against affected range. Test by attempting to redirect to external domain using crafted URL parameters.Check Version:
Check web2py version in application files or via admin interfaceVerify Fix Applied:
Test that redirects to external domains are blocked or properly validated after update.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns
- Requests with external URLs in parameters
- Multiple failed redirect attempts
Network Indicators:
- HTTP 302/301 redirects to unexpected external domains
- Suspicious referrer headers
SIEM Query:
http.status_code IN (301, 302) AND url.query CONTAINS 'redirect' AND NOT url.host IN allowed_domains