WebOb's location header normalization during redirect leads to open redirect
Description
WebOb's Location header normalization using urlparse/urljoin allows open redirect via protocol-relative URLs; patched in 1.8.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WebOb's Location header normalization using urlparse/urljoin allows open redirect via protocol-relative URLs; patched in 1.8.8.
Vulnerability
WebOb's _make_location_absolute function normalizes HTTP Location headers by parsing the redirect URL with Python's urlparse and joining it to the request base URL using urljoin. However, urlparse treats a string starting with // as a protocol-relative URI, interpreting the next segment as the hostname. When urljoin combines this with the base URL, it replaces the original hostname with the attacker-controlled hostname, resulting in an open redirect [1][3].
Exploitation
An attacker can exploit this by crafting a response with a Location header beginning with //attacker.com/path. When WebOb normalizes this header, the redirect target becomes https://attacker.com/path instead of the intended domain. No authentication is required; the attacker only needs to influence the redirect location, for example by providing a malicious URL that the application uses in a redirect [3].
Impact
Successful exploitation allows an attacker to redirect users to an arbitrary external site. This can be leveraged for phishing attacks, bypassing security controls that rely on the redirect destination, or directing users to malicious content [3].
Mitigation
The vulnerability is patched in WebOb version 1.8.8. The fix prepends /%2f to the path when the location starts with //, preventing hostname replacement [4]. Users should upgrade to 1.8.8 or later. As a workaround, applications can ensure that all redirect locations are provided as full URIs including the scheme and hostname [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
webobPyPI | < 1.8.8 | 1.8.8 |
Affected products
10- ghsa-coords9 versionspkg:pypi/webobpkg:rpm/opensuse/python-WebOb&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-WebOb&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-WebOb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-WebOb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/python-WebOb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/python-WebOb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/python-WebOb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP6pkg:rpm/suse/python-WebOb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012
< 1.8.8+ 8 more
- (no CPE)range: < 1.8.8
- (no CPE)range: < 1.7.4-150000.3.3.1
- (no CPE)range: < 1.8.7-150400.11.6.1
- (no CPE)range: < 1.8.8-1.1
- (no CPE)range: < 1.7.4-150000.3.3.1
- (no CPE)range: < 1.7.4-150000.3.3.1
- (no CPE)range: < 1.7.4-150000.3.3.1
- (no CPE)range: < 1.7.4-150000.3.3.1
- (no CPE)range: < 1.2.3-3.3.1
- Pylons/webobv5Range: <= 1.8.7
Patches
12 files changed · +16 −0
src/webob/response.py+5 −0 modified@@ -1284,6 +1284,11 @@ def _make_location_absolute(environ, value): if SCHEME_RE.search(value): return value + # This is to fix an open redirect issue due to the way that + # urlparse.urljoin works. See CVE-2024-42353 and + # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3 + if value.startswith("//"): + value = "/%2f{}".format(value[2:]) new_location = urlparse.urljoin(_request_uri(environ), value) return new_location
tests/test_response.py+11 −0 modified@@ -1031,6 +1031,17 @@ def test_location(): assert req.get_response(res).location == 'http://localhost/test2.html' +def test_location_no_open_redirect(): + # This is a test for a fix for CVE-2024-42353 and + # https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3 + res = Response() + res.status = "301" + res.location = "//www.example.com/test" + assert res.location == "//www.example.com/test" + req = Request.blank("/") + assert req.get_response(res).location == "http://localhost/%2fwww.example.com/test" + + @pytest.mark.xfail(sys.version_info < (3,0), reason="Python 2.x unicode != str, WSGI requires str. Test " "added due to https://github.com/Pylons/webob/issues/247. "
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mg3v-6m49-jhp3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-42353ghsaADVISORY
- github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5bghsax_refsource_MISCWEB
- github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/webob/PYSEC-2024-188.yamlghsaWEB
News mentions
0No linked articles in our index yet.