OAuth2 Redirect URL validity does not respect query parameters and character casing for loopback addresses
Description
ORY Fosite is a security first OAuth2 & OpenID Connect framework for Go. In Fosite from version 0.30.2 and before version 0.34.1, there is an issue in which an an attacker can override the registered redirect URL by performing an OAuth flow and requesting a redirect URL that is to the loopback adapter. Attackers can provide both custom URL query parameters to their loopback redirect URL, as well as actually overriding the host of the registered redirect URL. These attacks are only applicable in scenarios where the attacker has access over the loopback interface. This vulnerability has been patched in ORY Fosite v0.34.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ory/fositeGo | >= 0.30.3, < 0.34.1 | 0.34.1 |
Affected products
2Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-rfq3-w54c-f9q5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-15233ghsaADVISORY
- github.com/ory/fosite/commit/cdee51ebe721bfc8acca0fd0b86b030ca70867bfghsax_refsource_MISCWEB
- github.com/ory/fosite/pull/400ghsaWEB
- github.com/ory/fosite/security/advisories/GHSA-rfq3-w54c-f9q5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.