shopify_app is vulnerable to Open Redirect
59
Medium Risk
The generated unauthenticated HomeController template builds a redirect target from the attacker-controllable host query parameter and calls redirect_to with allow_other_host: true, so the embedded-app redirect can point at an arbitrary external host. An attacker who lures a user to a crafted URL can redirect them to an attacker-controlled site for phishing or credential harvesting. The template previously performed no validation on the host-derived URL before redirecting off-host. The fix computes the redirect URL, validates it with deduced_phishing_attack?, and falls back to ShopifyApp.configuration.root_url when the target looks suspicious.
You are affected if you are using a version that falls within the vulnerable range and your application uses the generated unauthenticated HomeController template.
shopify_app is vulnerable to Open Redirect in versions 20.1.0 - 23.0.1.
Upgrade the shopify_app library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant