Headline
GHSA-w832-gg5g-x44m: Open redirect endpoint in Datasette
Impact
Deployed instances of Datasette prior to 0.65.2 and 1.0a21 include an open redirect vulnerability.
Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar.
Patches
This problem has been patched in both Datasette 0.65.2 and 1.0a21.
Workarounds
If Datasette is running behind a proxy that proxy could be configured to replace // with / in incoming request URLs.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewDiscover and integrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-w832-gg5g-x44m
Open redirect endpoint in Datasette
Low severity GitHub Reviewed Published Nov 5, 2025 in simonw/datasette • Updated Nov 6, 2025
Package
pip datasette (pip)
Affected versions
< 0.65.2
>= 1.0a0, < 1.0a20
Patched versions
0.65.2
1.0a21
Description
Impact
Deployed instances of Datasette prior to 0.65.2 and 1.0a21 include an open redirect vulnerability.
Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar.
Patches
This problem has been patched in both Datasette 0.65.2 and 1.0a21.
Workarounds
If Datasette is running behind a proxy that proxy could be configured to replace // with / in incoming request URLs.
References
- GHSA-w832-gg5g-x44m
- simonw/datasette#2429
- simonw/datasette@f257ca6
Published to the GitHub Advisory Database
Nov 6, 2025
EPSS score