CVE-2020-28724

Root

Cause

CVE-2020-28724 describes an open redirect vulnerability in Werkzeug, a WSGI library underlying Flask. The bug affects versions before 0.11.6 and is triggered by a double slash (//) in the URL path. When the development server handles a request such as http://attacker.com//legitimate-app-path, it incorrectly sets the HTTP_HOST header to the attacker-supplied host, enabling a redirect to an arbitrary external site [1][2].

Attack

Vector

An attacker can exploit this by crafting a URL with a double slash after the host part, for example: http://legitimate-site.com//attacker-controlled-domain. If a user clicks such a link while the application is running on Werkzeug's development server, the server misparses the URL and may redirect the browser to the attacker's domain. The attack does not require authentication because it preys on how the server constructs absolute URLs in redirect responses [2][3].

Impact

Successful exploitation allows an attacker to redirect users to a malicious site, facilitating phishing, credential theft, or malware distribution. Since the redirect appears to originate from the trusted domain, users may be deceived into trusting the target. The vulnerability is specifically in the development server (werkzeug.serving) and does not affect production WSGI servers [2][4].

Mitigation

Upgrading to Werkzeug 0.11.6 or later resolves the issue by properly normalizing URLs with double slashes [3]. Users running applications with older Werkzeug versions should update immediately, especially if the development server is exposed to external traffic. No workaround is documented for unpatched versions [1][2].