Open Redirect in jonschoning/espial


Reported on

Sep 25th 2021


Open Redirect at add url with parameter ?next=

Proof of Concept

// PoC.request
POST /api/add HTTP/2
Cookie: _SESSION=t0+3lyA0gi4m/WOulD20ZJpY+2nW6ePHcVdc+I8Q+XV5W2b9qkCTm9/L9zYKNYg+rG7YmGyRg7SSZnGGG8NcZlrvXly7uPAUFtXaU+NzgjFoAwV8VSKA6KjB3JKwVxarCcSfW519/RjCDJJpq0ZBguQqPm4qF+dbAdIzAiP5XogmlVajF+8k9+UqxvpbGkZ6e3VGBdhOi44wL/AfySUfkxpro+yEVfeeBrLi3wefGrt4/SyZYivwQql8QocZQ/J2+p5UegTvYByqQlD8obT1p4BrmFecBq07y1KGpXDw+u76m4zF3NPw2pUJVKMD1rolqu3r+c/Z7htvP4A=; XSRF-TOKEN=rK2UKn5OcYHo0nsPw8jOP5YR99BDb84wsCXxyaQ0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Xsrf-Token: rK2UKn5OcYHo0nsPw8jOP5YR99BDb84wsCXxyaQ0
Content-Type: application/json
Content-Length: 183
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"url":"","toread":null,"title":"Home -","time":null,"tags":null,"slug":null,"selected":null,"private":false,"description":"test","bid":null,"archiveUrl":null}

Step to Reproduct

Access add url with url :

After create success it will redirect to


This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end user into believing that a malicious URL they were redirected to is valid.

We have contacted a member of the jonschoning/espial team and are waiting to hear back 2 years ago
Jon Schoning validated this vulnerability 2 years ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jon Schoning marked this as fixed with commit db00a1 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation