Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode

Summary

When using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to javascript: URLs, it could still trigger dangerous behavior in some cases.

GET https://example.com/.within.website/?redir=javascript:alert() responds with Location: javascript:alert().

Impact

Anybody with a subrequest authentication seems affected. Using javascript: URLs will probably be blocked by most modern browsers, but using custom protocols for third-party applications might still trigger dangerous operations.

Note

This was originally reported by @mbiesiad against Weblate.

Published: Oct 30, 2025
Updated: Oct 31, 2025
GHSA: GHSA-cf57-c578-7jvv
Severity: Low
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CWEs:

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
github.com/TecharoHQ/anubis	-	1.23.0

Vulnerability Database

Anubis vulnerable to possible XSS via redir parameter when using subrequest auth mode

Summary

Impact

Note

Deep Security Visibility Without the Complexity