Open Redirect in jonschoning/espial


Reported on

Sep 25th 2021


Open Redirect at add url with parameter ?next=

Proof of Concept

// PoC.request
POST /api/add HTTP/2
Cookie: _SESSION=t0+3lyA0gi4m/WOulD20ZJpY+2nW6ePHcVdc+I8Q+XV5W2b9qkCTm9/L9zYKNYg+rG7YmGyRg7SSZnGGG8NcZlrvXly7uPAUFtXaU+NzgjFoAwV8VSKA6KjB3JKwVxarCcSfW519/RjCDJJpq0ZBguQqPm4qF+dbAdIzAiP5XogmlVajF+8k9+UqxvpbGkZ6e3VGBdhOi44wL/AfySUfkxpro+yEVfeeBrLi3wefGrt4/SyZYivwQql8QocZQ/J2+p5UegTvYByqQlD8obT1p4BrmFecBq07y1KGpXDw+u76m4zF3NPw2pUJVKMD1rolqu3r+c/Z7htvP4A=; XSRF-TOKEN=rK2UKn5OcYHo0nsPw8jOP5YR99BDb84wsCXxyaQ0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Xsrf-Token: rK2UKn5OcYHo0nsPw8jOP5YR99BDb84wsCXxyaQ0
Content-Type: application/json
Content-Length: 183
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

{"url":"","toread":null,"title":"Home -","time":null,"tags":null,"slug":null,"selected":null,"private":false,"description":"test","bid":null,"archiveUrl":null}

Step to Reproduct

Access add url with url :

After create success it will redirect to


This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end user into believing that a malicious URL they were redirected to is valid.

We have contacted a member of the jonschoning/espial team and are waiting to hear back a year ago
Jon Schoning validated this vulnerability a year ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jon Schoning confirmed that a fix has been merged on db00a1 a year ago
The fix bounty has been dropped
to join this conversation