Headline
GHSA-564j-v29w-rqr6: Khoj Open Redirect Vulnerability in Login Page
Summary
An attacker can use the next parameter on the login page to redirect a victim to a malicious page, while masking this using a legit-looking app.khoj.dev url.
For example, https://app.khoj.dev/login?next=//example.com will redirect to the https://example.com page.
Details
The problem seems to be in this method: https://github.com/khoj-ai/khoj/blob/2667ef45449eb408ce1d7c393be04845be31e15f/src/khoj/routers/auth.py#L95
PoC
Open the https://app.khoj.dev/login?next=//example.com url in a Gecko-based browser (Firefox).
Impact
The impact is low, and this could only be used in phishing attempts, but it’s still a problem nonetheless.
Package
pip khoj-assistant (pip)
Affected versions
< 1.14.0
Patched versions
1.14.0
Description
Summary
An attacker can use the next parameter on the login page to redirect a victim to a malicious page, while masking this using a legit-looking app.khoj.dev url.
For example, https://app.khoj.dev/login?next=//example.com will redirect to the https://example.com page.
Details
The problem seems to be in this method: https://github.com/khoj-ai/khoj/blob/2667ef45449eb408ce1d7c393be04845be31e15f/src/khoj/routers/auth.py#L95
PoC
Open the https://app.khoj.dev/login?next=//example.com url in a Gecko-based browser (Firefox).
Impact
The impact is low, and this could only be used in phishing attempts, but it’s still a problem nonetheless.
References
- GHSA-564j-v29w-rqr6
- khoj-ai/khoj@4daf16e
- https://github.com/khoj-ai/khoj/blob/2667ef45449eb408ce1d7c393be04845be31e15f/src/khoj/routers/auth.py#L95
debanjum published to khoj-ai/khoj
Jul 8, 2024
Published to the GitHub Advisory Database
Jul 8, 2024
Reviewed
Jul 8, 2024