Moderate severityNVD Advisory· Published Jul 29, 2024· Updated Nov 3, 2025
HTML injection in HTTP redirect body
CVE-2024-41810
Description
Twisted is an event-based framework for internet applications, supporting Python 3.6+. The twisted.web.util.redirectTo function contains an HTML injection vulnerability. If application code allows an attacker to control the redirect URL this vulnerability may result in Reflected Cross-Site Scripting (XSS) in the redirect response HTML body. This vulnerability is fixed in 24.7.0rc1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
twistedPyPI | < 24.7.0rc1 | 24.7.0rc1 |
Affected products
1Patches
14 files changed · +41 −2
src/twisted/web/newsfragments/12263.bugfix+1 −0 added@@ -0,0 +1 @@ +twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2). The issue is being tracked with CVE-2024-41810. \ No newline at end of file
src/twisted/web/newsfragments/9839.bugfix+1 −0 added@@ -0,0 +1 @@ +twisted.web.util.redirectTo now HTML-escapes the provided URL in the fallback response body it returns (GHSA-cf56-g6w6-pqq2, CVE-2024-41810).
src/twisted/web/_template_util.py+1 −1 modified@@ -92,7 +92,7 @@ def render_GET(self, request): </body> </html> """ % { - b"url": URL + b"url": escape(URL.decode("utf-8")).encode("utf-8") } return content
src/twisted/web/test/test_util.py+38 −1 modified@@ -5,7 +5,6 @@ Tests for L{twisted.web.util}. """ - import gc from twisted.internet import defer @@ -64,6 +63,44 @@ def test_redirectToUnicodeURL(self): targetURL = "http://target.example.com/4321" self.assertRaises(TypeError, redirectTo, targetURL, request) + def test_legitimateRedirect(self): + """ + Legitimate URLs are fully interpolated in the `redirectTo` response body without transformation + """ + request = DummyRequest([b""]) + html = redirectTo(b"https://twisted.org/", request) + expected = b""" +<html> + <head> + <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/\"> + </head> + <body bgcolor=\"#FFFFFF\" text=\"#000000\"> + <a href=\"https://twisted.org/\">click here</a> + </body> +</html> +""" + self.assertEqual(html, expected) + + def test_maliciousRedirect(self): + """ + Malicious URLs are HTML-escaped before interpolating them in the `redirectTo` response body + """ + request = DummyRequest([b""]) + html = redirectTo( + b'https://twisted.org/"><script>alert(document.location)</script>', request + ) + expected = b""" +<html> + <head> + <meta http-equiv=\"refresh\" content=\"0;URL=https://twisted.org/"><script>alert(document.location)</script>\"> + </head> + <body bgcolor=\"#FFFFFF\" text=\"#000000\"> + <a href=\"https://twisted.org/"><script>alert(document.location)</script>\">click here</a> + </body> +</html> +""" + self.assertEqual(html, expected) + class ParentRedirectTests(SynchronousTestCase): """
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-cf56-g6w6-pqq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-41810ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/twisted/PYSEC-2024-75.yamlghsaWEB
- github.com/twisted/twisted/commit/046a164f89a0f08d3239ecebd750360f8914df33ghsax_refsource_MISCWEB
- github.com/twisted/twisted/security/advisories/GHSA-cf56-g6w6-pqq2ghsax_refsource_CONFIRMWEB
- lists.debian.org/debian-lts-announce/2024/11/msg00028.htmlghsaWEB
News mentions
0No linked articles in our index yet.