VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 27, 2021· Updated Aug 3, 2024

Apache Superset Open Redirect

CVE-2021-28125

Description

Apache Superset up to and including 1.0.1 allowed for the creation of an external URL that could be malicious. By not checking user input for open redirects the URL shortener functionality would allow for a malicious user to create a short URL for a dashboard that could convince the user to click the link.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Superset up to 1.0.1 had an open redirect in the URL shortener, enabling phishing attacks.

Vulnerability

Apache Superset versions up to and including 1.0.1 contain an open redirect vulnerability in the URL shortener functionality. The feature does not validate user input, allowing the creation of a short URL that redirects to an arbitrary external site. Affected versions: Apache Superset <= 1.0.1. [1][4]

Exploitation

An attacker can craft a short URL that points to a malicious external site. This URL appears to be a legitimate shortened dashboard link. The attacker then convinces a victim (e.g., via social engineering) to click the link, which silently redirects the victim to the attacker-controlled site. No authentication or special privileges are required beyond access to the URL shortener feature. [1][4]

Impact

Successful exploitation leads to an open redirect. An attacker can use this to perform phishing attacks, tricking users into visiting malicious websites that may resemble legitimate services, potentially leading to credential theft or malware installation. [1][4]

Mitigation

The vulnerability is fixed in Apache Superset 1.1.0. Users should upgrade to version 1.1.0 or later. No workarounds are documented for versions prior to 1.1.0. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. [1][4]

References
  1. NVD - CVE-2021-28125
  2. security - CVE-2021-28125: Apache Superset Open Redirect

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
supersetPyPI
<= 0.34.0
apache-supersetPyPI
< 1.1.01.1.0

Affected products

4

Patches

1
eb35b804acf4

fix: url shortener invalid input (#13461)

https://github.com/apache/supersetDaniel Vaz GasparMar 4, 2021via ghsa
commit
2 files changed · +42 2
  • superset/views/redirects.py+20 2 modified
    @@ -14,6 +14,9 @@
 # KIND, either express or implied.  See the License for the
 # specific language governing permissions and limitations
 # under the License.
+import logging
+from typing import Optional
+
 from flask import flash, request, Response
 from flask_appbuilder import expose
 from flask_appbuilder.security.decorators import has_access_api
@@ -24,11 +27,22 @@
 from superset.typing import FlaskResponse
 from superset.views.base import BaseSupersetView
 
+logger = logging.getLogger(__name__)
+
 
 class R(BaseSupersetView):  # pylint: disable=invalid-name
 
     """used for short urls"""
 
+    @staticmethod
+    def _validate_url(url: Optional[str] = None) -> bool:
+        if url and (
+            url.startswith("//superset/dashboard/")
+            or url.startswith("//superset/explore/")
+        ):
+            return True
+        return False
+
     @event_logger.log_this
     @expose("/<int:url_id>")
     def index(self, url_id: int) -> FlaskResponse:  # pylint: disable=no-self-use
@@ -38,8 +52,9 @@ def index(self, url_id: int) -> FlaskResponse:  # pylint: disable=no-self-use
             if url.url.startswith(explore_url):
                 explore_url += f"r={url_id}"
                 return redirect(explore_url[1:])
-
-            return redirect(url.url[1:])
+            if self._validate_url(url.url):
+                return redirect(url.url[1:])
+            return redirect("/")
 
         flash("URL to nowhere...", "danger")
         return redirect("/")
@@ -49,6 +64,9 @@ def index(self, url_id: int) -> FlaskResponse:  # pylint: disable=no-self-use
     @expose("/shortner/", methods=["POST"])
     def shortner(self) -> FlaskResponse:  # pylint: disable=no-self-use
         url = request.form.get("data")
+        if not self._validate_url(url):
+            logger.warning("Invalid URL: %s", url)
+            return Response(f"Invalid URL: {url}", 400)
         obj = models.Url(url=url)
         db.session.add(obj)
         db.session.commit()
  • tests/core_tests.py+22 0 modified
    @@ -634,6 +634,28 @@ def test_shortner(self):
         resp = self.client.post("/r/shortner/", data=dict(data=data))
         assert re.search(r"\/r\/[0-9]+", resp.data.decode("utf-8"))
 
+    def test_shortner_invalid(self):
+        self.login(username="admin")
+        invalid_urls = [
+            "hhttp://invalid.com",
+            "hhttps://invalid.com",
+            "www.invalid.com",
+        ]
+        for invalid_url in invalid_urls:
+            resp = self.client.post("/r/shortner/", data=dict(data=invalid_url))
+            assert resp.status_code == 400
+
+    def test_redirect_invalid(self):
+        model_url = models.Url(url="hhttp://invalid.com")
+        db.session.add(model_url)
+        db.session.commit()
+
+        self.login(username="admin")
+        response = self.client.get(f"/r/{model_url.id}")
+        assert response.headers["Location"] == "http://localhost/"
+        db.session.delete(model_url)
+        db.session.commit()
+
     @skipUnless(
         (is_feature_enabled("KV_STORE")), "skipping as /kv/ endpoints are not enabled"
     )

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.