Bug 2407445 (CVE-2025-64716, GHSA-cf57-c578-7jvv)

Summary: CVE-2025-64716 anubis: XSS via redirect parameter
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Anubis. This vulnerability allows cross-site scripting (XSS) via an unvalidated redirect parameter when using subrequest authentication mode.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2412448, 2412449, 2412447    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-30 18:02:01 UTC 
### Summary

When using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to `javascript:` URLs, it could still trigger dangerous behavior in some cases.

`GET https://example.com/.within.website/?redir=javascript:alert()` responds with `Location: javascript:alert()`.

### Impact

Anybody with a subrequest authentication seems affected. Using `javascript:` URLs will probably be blocked by most modern browsers, but using custom protocols for third-party applications might still trigger dangerous operations.

### Note

This was originally reported by @mbiesiad against Weblate.