High severity7.4NVD Advisory· Published Oct 7, 2016· Updated May 6, 2026

CVE-2016-1000001

Description

flask-oidc version 0.1.2 and earlier is vulnerable to an open redirect

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
flask-oidcPyPI	< 1.0.0	1.0.0

Affected products

Flask Oidc Project/Flask Oidc
cpe:2.3:a:flask-oidc_project:flask-oidc:*:*:*:*:*:*:*:*
Range: <=0.1.2

Patches

f2ef8b4ffa44

Validate destination before redirecting user

https://github.com/puiterwijk/flask-oidcPatrick UiterwijkMay 18, 2016via ghsa

commit

1 file changed · +14 −4

flask_oidc/__init__.py+14 −4 modified

@@ -11,7 +11,8 @@
 from oauth2client.client import flow_from_clientsecrets, OAuth2WebServerFlow,\
     AccessTokenRefreshError
 import httplib2
-from itsdangerous import TimedJSONWebSignatureSerializer, SignatureExpired
+from itsdangerous import JSONWebSignatureSerializer, BadSignature, \
+    TimedJSONWebSignatureSerializer, SignatureExpired
 
 __all__ = ['OpenIDConnect', 'MemoryCredentials']
 
@@ -77,7 +78,9 @@ def init_app(self, app):
             scope=app.config['OIDC_SCOPES'])
         assert isinstance(self.flow, OAuth2WebServerFlow)
 
-        # create a cookie signer using the Flask secret key
+        # create signers using the Flask secret key
+        self.destination_serializer = JSONWebSignatureSerializer(
+            app.config['SECRET_KEY'])
         self.cookie_serializer = TimedJSONWebSignatureSerializer(
             app.config['SECRET_KEY'])
 
@@ -195,6 +198,7 @@ def redirect_to_auth_server(self, destination):
                             before we noticed they weren't logged in
         :return: a redirect response
         """
+        destination = self.destination_serializer.dumps(destination)
         csrf_token = b64encode(self.urandom(24)).decode('utf-8')
         session['oidc_csrf_token'] = csrf_token
         state = {
@@ -321,10 +325,16 @@ def oidc_callback(self):
         # when Google is the IdP, the subject is their G+ account number
         self.credentials_store[id_token['sub']] = credentials
 
+        # Check whether somebody messed with the destination
+        destination = destination
+        try:
+            response = redirect(self.destination_serializer.loads(destination))
+        except BadSignature:
+            logger.error('Destination signature did not match. Rogue IdP?')
+            response = redirect('/')
+
         # set a persistent signed cookie containing the ID token
         # and redirect to the final destination
-        # TODO: validate redirect destination
-        response = redirect(destination)
         self.set_cookie_id_token(id_token)
         return response

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/puiterwijk/flask-oidc/blob/master/flask_oidc/__init__.pynvdIssue TrackingPatchWEB
github.com/advisories/GHSA-f9q6-69fh-4w5wghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-1000001ghsaADVISORY
github.com/puiterwijk/flask-oidc/commit/f2ef8b4ffa445be00f6602e446e60916f4ee4d30ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/flask-oidc/PYSEC-2016-25.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000