AIKIDO-2025-10261
Ocelot is vulnerable to Open Redirect
51
Medium Risk
This Affects:
OcelotTL;DR
Affected versions of this package rely on IdentityServer4, which is known to be vulnerable to open redirect attacks. Methods such as GetAuthorizationContextAsync and IsValidReturnUrl may return non-null or true for malicious URLs, enabling redirection to untrusted sites. Less commonly used methods, including ServerUrlExtensions.GetIdentityServerRelativeUrl, ReturnUrlParser.ParseAsync, and OidcReturnUrlParser.ParseAsync, are also affected by similar flaws. The issue is addressed in the fixed version by uninstalling IdentityServer4 packages and disabling related functionality.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
Ocelot is vulnerable to Open Redirect in versions 13.0.0 - 23.4.3.
How to fix this
Upgrade the Ocelot library to the patch version.
Links
GitHub Release
Fix Commits
github.com/DuendeSoftware/IdentityServer/commit/269ca2171fe1e901c87f2f0797bbc7c230db87c6github.com/DuendeSoftware/IdentityServer/commit/765116a2d4fb0671b6eba015e698533900c61c8egithub.com/DuendeSoftware/IdentityServer/commit/d0d8eab35ad9183b14925496803ed8b36658d0a1github.com/DuendeSoftware/IdentityServer/commit/f04cf0be859b93f43563f8f812eb92206ad94011github.com/DuendeSoftware/IdentityServer/commit/fe817b499933d6ed6141b153492d7335c28b184a
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant