VYPR
← All advisories
Medium severity4.7OSV Advisory· Published Jul 17, 2025· Updated Apr 15, 2026

CVE-2025-54066

CVE-2025-54066

Description

DiracX-Web is a web application that provides an interface to interact with the DiracX services. Prior to version 0.1.0-a8, an attacker can forge a request that they can pass to redirect an authenticated user to another arbitrary website. In the login page, DiracX-Web has a redirect field which is the location where the server will redirect the user. This URI is not verified, and can be an arbitrary URI. Paired with a parameter pollution, an attacker can hide their malicious URI. This could be used for phishing, and extract new data (such as redirecting to a new "log in" page, and asking another time credentials). Version 0.1.0-a8 fixes this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@dirac-grid/diracx-web-componentsnpm
< 0.1.0-a80.1.0-a8

Affected products

1

Patches

2
04db32be0927
https://github.com/diracgrid/diracx-webvia osv
eba3b7bc4f9d
https://github.com/diracgrid/diracx-webvia osv
commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.