CVE-2025-64481 is classified as a CWE-601 open redirect vulnerability found in the Datasette tool, an open source platform widely used for exploring and publishing data. The vulnerability exists in Datasette versions prior to 0.65.2 and between 1.0a0 and 1.0a19 inclusive. It arises from improper handling of URLs containing double slashes (//) in the path component. Specifically, when a URL path includes a double slash followed by a domain-like string (e.g., //example.com/foo/bar/), Datasette interprets this as a redirect instruction, sending users to the external site https://example.com/foo/bar. This behavior can be exploited by attackers to craft malicious links that redirect users to untrusted or harmful websites, potentially facilitating phishing attacks or other social engineering exploits. The vulnerability does not require authentication or user interaction to be triggered, but the impact is limited to redirecting users, without direct compromise of confidentiality, integrity, or availability of the Datasette server or data. The issue has been addressed in Datasette versions 0.65.2 and 1.0a21 by correcting URL parsing logic to prevent open redirects. As an interim mitigation, organizations deploying Datasette behind reverse proxies can configure those proxies to rewrite incoming URLs by replacing double slashes with a single slash, thus neutralizing the redirect vector. No known exploits have been reported in the wild as of the publication date. The CVSS 4.0 base score is 2.7, reflecting low severity due to the limited scope and impact of the vulnerability.

For European organizations, the primary risk posed by CVE-2025-64481 is the potential for phishing and social engineering attacks leveraging trusted Datasette URLs that redirect users to malicious sites. This could undermine user trust in published data portals and expose end users to credential theft or malware delivery. However, the vulnerability does not directly compromise the confidentiality, integrity, or availability of the Datasette service or the underlying data. Organizations using Datasette for public data publication or internal data sharing may face reputational damage if users are redirected to harmful sites. The impact is more pronounced in sectors with high reliance on data transparency and public engagement, such as government open data initiatives, research institutions, and NGOs. Since exploitation requires no authentication and no user interaction beyond clicking a crafted link, attackers could distribute malicious URLs via email or social media. Nonetheless, the low CVSS score and absence of known exploits suggest limited immediate risk. Prompt patching or proxy-based mitigation will effectively reduce exposure. Overall, the impact on European organizations is low but non-negligible, especially for those with public-facing Datasette instances.

1. Upgrade all Datasette deployments to version 0.65.2 or later, or 1.0a21 or later, where the vulnerability is patched. 2. For environments where immediate upgrade is not feasible, configure reverse proxies (e.g., Nginx, Apache, HAProxy) to normalize incoming URLs by replacing occurrences of double slashes (//) in the path with a single slash (/). This prevents the open redirect trigger. 3. Implement strict URL validation and sanitization on any user-facing links generated by Datasette or related applications to avoid embedding untrusted redirects. 4. Educate users and administrators about the risk of open redirects and encourage vigilance against suspicious URLs, especially those containing unusual double slashes. 5. Monitor web server and proxy logs for unusual redirect patterns or requests containing double slashes in URLs. 6. Consider deploying web application firewalls (WAFs) with custom rules to detect and block requests attempting to exploit this redirect behavior. 7. Review and update organizational phishing awareness programs to include risks associated with open redirect vulnerabilities. 8. For public-facing Datasette instances, consider implementing Content Security Policy (CSP) headers to restrict navigation to trusted domains, mitigating the impact of malicious redirects.