Open Redirect in openwhyd/openwhyd


Reported on

Dec 5th 2021


This vulnerability was discovered in Here by @mdakh404. However, it is not patched properly and I bypassed with a simple trick.

      r.html = mainTemplate.renderWhydPage(r);
    // call the adequate renderer
-    if (r.redirect) response.redirect(r.redirect);
+    if (r.redirect) response.safeRedirect(r.redirect);
    else if (r.html) response.renderHTML(r.html);
    else response.renderJSON(r);
    // and track visit to that page

First, I checked how it was patched. When I checked the patch, I could see that when redirecting in consent.js, the redirect() method was replaced with the safeRedirect() method.


+ // TODO: this function is overrided by Express => delete it to prevent ambiguity
 http.ServerResponse.prototype.redirect = function (url) {
   return this.renderHTML(loggingTemplate.htmlRedirect(url));

+ http.ServerResponse.prototype.safeRedirect = function (url) {
+   const fullURL = new URL(url, config.urlPrefix);
+   if (!fullURL.toString().startsWith(config.urlPrefix)) return this.forbidden();
+   this.redirect(url);
+ };
 http.ServerResponse.prototype.redirectWithTracking = function (url, title) {
   return this.renderHTML(
     loggingTemplate.renderRedirectPageWithTracking(url, title)

The safeRedirect() method has been added to logging.js. However, Look at the safeRedirect() method, you can see that it is flawed...

+ if (!fullURL.toString().startsWith(config.urlPrefix))

Look at the conditional statement! Parse the value of url using the URL() constructor, and put it as a fullURL variable. After that, Look at the if statement, the default value of fullURL is converted to a string and used and compared with the urlPrefix value. The default value of the URL() modifier is href , not the origin, host, or hostname values.

Look at the picture above. A flaw can be circumvented using a simple trick. Need to use origin, host, hostname to validate the url!

Proof of Concept

1. Open the
2. If you click the button after agreeing to the terms and conditions, you will be redirected to Google.


Open Redirect can do additional damage by redirecting you to a malicious site.

We are processing your report and will contact the openwhyd team within 24 hours. 2 years ago
Pocas modified the report
2 years ago
We have contacted a member of the openwhyd team and are waiting to hear back 2 years ago
We have sent a follow up to the openwhyd team. We will try again in 4 days. 2 years ago
Pocas modified the report
2 years ago
Pocas modified the report
2 years ago
Pocas modified the report
2 years ago
Adrien Joly validated this vulnerability 2 years ago
p0cas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly
2 years ago


Good catch, thanks for submitting! I'm working on a fix: Feedback is welcome.

2 years ago


Confirmed patch commit! It's a good patch!

Adrien Joly marked this as fixed in 1.45.3 with commit 387079 2 years ago
Adrien Joly has been awarded the fix bounty
Adrien Joly
2 years ago


Can you assign a CVE to a researcher?

Jamie Slome
2 years ago

@adrienjoly - sorted! ♥️

to join this conversation