VYPR
Get started
← All advisories
Medium severity6.1NVD Advisory· Published Jul 17, 2017· Updated May 13, 2026

CVE-2017-1000070

CVE-2017-1000070

Description

The Bitly oauth2_proxy in version 2.1 and earlier was affected by an open redirect vulnerability during the start and termination of the 2-legged OAuth flow. This issue was caused by improper input validation and a violation of RFC-6819

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/bitly/oauth2_proxyGo
< 2.2.02.2.0

Affected products

1

Patches

1
289a6ccf463a

add check for //.* to prevent open redirect during oauth

https://github.com/bitly/oauth2_proxyColin ArnottMar 28, 2017via ghsa
commit
2 files changed · +2 2
  • oauthproxy.go+1 1 modified
    @@ -490,7 +490,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 	}
 
 	redirect := req.Form.Get("state")
-	if !strings.HasPrefix(redirect, "/") {
+	if !strings.HasPrefix(redirect, "/")  || strings.HasPrefix(redirect, "//") {
 		redirect = "/"
 	}
  • providers/provider_default.go+1 1 modified
    @@ -88,7 +88,7 @@ func (p *ProviderData) GetLoginURL(redirectURI, finalRedirect string) string {
 	params.Add("scope", p.Scope)
 	params.Set("client_id", p.ClientID)
 	params.Set("response_type", "code")
-	if strings.HasPrefix(finalRedirect, "/") {
+	if strings.HasPrefix(finalRedirect, "/") && !strings.HasPrefix(finalRedirect,"//") {
 		params.Add("state", finalRedirect)
 	}
 	a.RawQuery = params.Encode()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.