GHSA-x7qq-m748-8p2c: Probo has an open redirect bypass via path normalization
Probo's saferedirect package contains an open redirect vulnerability due to improper path normalization. The validator only checked the second character of relative paths, allowing crafted URLs with backslashes to bypass validation. This leads to redirection to external domains, enabling phishing attacks. The issue is fixed in probod v0.194.1 and later. SaaS deployments on getprobo.com are already patched. No practical workaround exists for self-hosted versions prior to the fix.
AI Analysis
Technical Summary
The vulnerability in Probo's saferedirect package arises because the redirect URL validator only inspects the second character of relative paths, allowing URLs like '/../\evil.com' to pass validation. Go's http.Redirect normalizes such paths by converting backslashes to slashes, which browsers may interpret as host separators, resulting in redirection to external domains. This bypasses same-origin restrictions and enables open redirect phishing attacks. The fix involves normalizing paths with path.Clean, rejecting backslashes (including percent-encoded ones), and revalidating the normalized path. The vulnerability affects versions before 0.204.0 and is patched in probod v0.194.1 and later. SaaS deployments are already patched.
Potential Impact
An attacker can craft malicious redirect URLs that appear to originate from trusted Probo domains but redirect users to external, potentially malicious sites. This can facilitate phishing attacks by exploiting the open redirect vulnerability. The vulnerability does not impact confidentiality or availability but can lead to user deception and potential credential theft or other social engineering outcomes.
Mitigation Recommendations
Self-hosted Probo deployments should upgrade to probod version 0.194.1 or later to address this vulnerability. SaaS deployments on getprobo.com have already been patched by the vendor. There are no practical workarounds for self-hosted installations prior to the patch. Users should apply the official fix to ensure proper path normalization and validation.
GHSA-x7qq-m748-8p2c: Probo has an open redirect bypass via path normalization
Description
Probo's saferedirect package contains an open redirect vulnerability due to improper path normalization. The validator only checked the second character of relative paths, allowing crafted URLs with backslashes to bypass validation. This leads to redirection to external domains, enabling phishing attacks. The issue is fixed in probod v0.194.1 and later. SaaS deployments on getprobo.com are already patched. No practical workaround exists for self-hosted versions prior to the fix.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Probo's saferedirect package arises because the redirect URL validator only inspects the second character of relative paths, allowing URLs like '/../\evil.com' to pass validation. Go's http.Redirect normalizes such paths by converting backslashes to slashes, which browsers may interpret as host separators, resulting in redirection to external domains. This bypasses same-origin restrictions and enables open redirect phishing attacks. The fix involves normalizing paths with path.Clean, rejecting backslashes (including percent-encoded ones), and revalidating the normalized path. The vulnerability affects versions before 0.204.0 and is patched in probod v0.194.1 and later. SaaS deployments are already patched.
Potential Impact
An attacker can craft malicious redirect URLs that appear to originate from trusted Probo domains but redirect users to external, potentially malicious sites. This can facilitate phishing attacks by exploiting the open redirect vulnerability. The vulnerability does not impact confidentiality or availability but can lead to user deception and potential credential theft or other social engineering outcomes.
Mitigation Recommendations
Self-hosted Probo deployments should upgrade to probod version 0.194.1 or later to address this vulnerability. SaaS deployments on getprobo.com have already been patched by the vendor. There are no practical workarounds for self-hosted installations prior to the patch. Users should apply the official fix to ensure proper path normalization and validation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-x7qq-m748-8p2c
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-49820"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a4452e227e9c797198e11b3
Added to database: 06/30/2026, 23:36:02 UTC
Last enriched: 06/30/2026, 23:48:20 UTC
Last updated: 06/30/2026, 23:48:20 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.