WebOb, a library providing HTTP request and response objects, had a vulnerability in versions before 1.8.10 related to the normalization of the HTTP Location header during redirects. The library uses Python's urljoin to join the redirect target to the request URI. Since Python 3.10, urlsplit strips ASCII tab, carriage return, and newline characters before parsing, which can cause a redirect target containing such characters to be interpreted as a protocol-relative URL with an attacker-controlled host. This behavior bypasses the previous fix for CVE-2024-42353 that escaped leading double slashes, enabling an attacker who controls the redirect location to redirect users to arbitrary external sites. The vulnerability is addressed in webob version 1.8.10.

An attacker who can influence the redirect location can exploit this vulnerability to redirect users to malicious external sites, potentially leading to phishing or other social engineering attacks. The vulnerability affects confidentiality and integrity by misleading users about the destination of redirects. There is no direct impact on availability. The CVSS score is 6.1 (medium severity), reflecting network attack vector, low complexity, no privileges required, user interaction required, and partial confidentiality and integrity impact.

This vulnerability is fixed in webob version 1.8.10. Users and administrators should upgrade to version 1.8.10 or later to remediate this issue. No other mitigation or workaround is indicated in the available data.