Summary
Mitigation
Make sure GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN is not set in a production environment. So the following is correct:
assert os.getenv("GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN") is None
Vulnerability Description
Vulnerability Overview
- When the GET /auth-codespace page loads in a GitHub Codespaces environment, it automatically assigns the redirect_to query parameter value directly to client-side links without any validation and triggers automatic clicks. This allows attackers to redirect users to arbitrary external URLs.
- The route is only registered when a Codespaces environment is detected, and the detection is controlled by environment variables. This means that the same behavior can be activated in production if the corresponding environment variable is set.
Vulnerable Code Analysis
- This code assigns the redirect_to query parameter directly to a.href without any validation and immediately triggers a click (automatic navigation), allowing users to be sent to arbitrary external domains, resulting in an open redirect vulnerability.
- The execution condition is simply based on the presence of a sessionStorage flag, meaning it triggers immediately on first visits or in incognito/private browsing windows, with no server-side origin/scheme whitelist or internal path enforcement defenses in place.
PoC
PoC Description
- Used the production configuration from docker-example (docker-example/production-compose).
- Added a Codespaces detection environment variable to the app container in compose.yaml to forcibly expose the route.
- GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN: dummy
- The reverse proxy (Caddy) needs to be configured to forward /auth-codespace to the backend (required depending on the environment).
curl Example
https://localhost/auth-codespace?redirect_to=http://google.com
Impact
Phishing/Social Engineering Attacks
Users can be exploited by immediately redirecting from a trusted domain to external malicious sites, taking advantage of user trust. This enables login page spoofing, credential harvesting, and redirection to malware distribution pages.
Authentication/Session Flow Disruption
When users with valid sessions/cookies from the same origin click the link, they are redirected to unintended external domains, which can bypass or disrupt authentication/authorization flows. When combined with redirect-based flows like OAuth/OIDC, this can escalate into security incidents.
Untrusted input controls a URL used for redirection, which can forward users to attacker-controlled sites. Typical impact: phishing and credential harvesting via a trusted domain.
CVE-2025-62379 has a CVSS score of 3.1 (Low). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
In the interim: Validate redirect destinations against an allowlist of permitted URLs or paths. Reject destinations that include an unexpected authority component.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-62379? CVE-2025-62379 is a low-severity open redirect vulnerability in reflex (pip), affecting versions >= 0.5.4, <= 0.8.14. No fixed version is listed yet. Untrusted input controls a URL used for redirection, which can forward users to attacker-controlled sites.
- How severe is CVE-2025-62379? CVE-2025-62379 has a CVSS score of 3.1 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of reflex are affected by CVE-2025-62379? reflex (pip) versions >= 0.5.4, <= 0.8.14 is affected.
- Is there a fix for CVE-2025-62379? No fixed version is listed for CVE-2025-62379 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2025-62379 exploitable, and should I be worried? Whether CVE-2025-62379 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-62379 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-62379? No fixed version is listed yet. In the interim: Validate redirect destinations against an allowlist of permitted URLs or paths. Reject destinations that include an unexpected authority component.