CVE-2025-60868

The Alt Redirect 1.6.3 addon for Statamic fails to consistently strip query string parameters when the "Query String Strip" feature is enabled. Case variations, encoded keys, and duplicates are not removed, allowing attackers to bypass sanitization. This may lead to cache poisoning, parameter pollution, or denial of service.

Published: Oct 10, 2025
Updated: Oct 14, 2025
CVE: CVE-2025-60868
GHSA: GHSA-rpjr-pcmr-9ppw
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-290

Affected Software
References

Software	From	Fixed in
alt-design / alt-redirect	-	1.6.4

https://gist.github.com/kasiasok/870933de18d1400fa8be88e1bcadec6c
https://github.com/alt-design/Alt-Redirect-Addon/commit/5dc6753c7151ac994c63e18914998991b1f65cbd
https://github.com/alt-design/Alt-Redirect-Addon/releases/tag/v1.6.4
https://statamic.com/addons/alt-design/alt-redirects/release-notes

Vulnerability Database

CVE-2025-60868

Deep Security Visibility Without the Complexity