Uncontrolled external site redirect In python-oauthlib
Description
OAuthLib vulnerable to DoS when attacker provides malicious IPV6 URI
Impact
Attacker providing malicious redirect uri can cause DoS to oauthlib's web application.
Attacker can also leverage usage of uri_validate functions depending where it is used.
What kind of vulnerability is it? Who is impacted?
Oauthlib applications using OAuth2.0 provider support or use directly uri_validate function.
Patches
Has the problem been patched? What versions should users upgrade to?
Issue fixed in 3.2.2 release.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
The redirect_uri can be verified in web toolkit (i.e bottle-oauthlib, django-oauth-toolkit, ...) before oauthlib is called. A sample check if : is present to reject the request can prevent the DoS, assuming no port or IPv6 is fundamentally required.
References
Attack Vector:
Attacker providing malicious redirect uri: https://github.com/oauthlib/oauthlib/blob/d4bafd9f1d0eba3766e933b1ac598cbbf37b8914/oauthlib/oauth2/rfc6749/grant_types/base.py#L232
Vulnerable uri_validate functions:
https://github.com/oauthlib/oauthlib/blob/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2/oauthlib/uri_validate.py
PoC
is_absolute_uri("http://[:::::::::::::::::::::::::::::::::::::::]/path")
Acknowledgement
Special thanks to Sebastian Chnelik - PyUp.io
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 debian 12 | 3.2.1-1 | ||
 pypi | 3.2.2 | ||
debian 14 | 3.2.1-1 | ||
debian 13 | 3.2.1-1 | ||
 rpm rhel9 | 0:4.10.0-43.el9 |
Aliases
References