Intel

AIKIDO-2026-915660

shopify_app is vulnerable to Open Redirect

Open Redirect Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

59

Medium Risk

This Affects:

RUBYshopify_app
20.1.0 - 23.0.1
Fixed in 23.0.2
Are you affected? Scan for Free

TL;DR

The generated unauthenticated HomeController template builds a redirect target from the attacker-controllable host query parameter and calls redirect_to with allow_other_host: true, so the embedded-app redirect can point at an arbitrary external host. An attacker who lures a user to a crafted URL can redirect them to an attacker-controlled site for phishing or credential harvesting. The template previously performed no validation on the host-derived URL before redirecting off-host. The fix computes the redirect URL, validates it with deduced_phishing_attack?, and falls back to ShopifyApp.configuration.root_url when the target looks suspicious.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the generated unauthenticated HomeController template.

Background info

shopify_app is vulnerable to Open Redirect in versions 20.1.0 - 23.0.1.

How to fix this

Upgrade the shopify_app library to the patch version.