VYPR
Get started
← All advisories
Low severityOSV Advisory· Published Nov 7, 2025· Updated Apr 15, 2026

CVE-2025-64481

CVE-2025-64481

Description

Datasette is an open source multi-tool for exploring and publishing data. In versions 0.65.1 and below and 1.0a0 through 1.0a19, deployed instances of Datasette include an open redirect vulnerability. Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar. This problem has been patched in both Datasette 0.65.2 and 1.0a21. To workaround this issue, if Datasette is running behind a proxy, that proxy could be configured to replace // with / in incoming request URLs.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
datasettePyPI
< 0.65.20.65.2
datasettePyPI
>= 1.0a0, < 1.0a211.0a21

Affected products

1

Patches

1
f257ca6edb64

Fix for open redirect - identified in Issue 2429 (#2500)

https://github.com/simonw/datasetteJames JefferiesNov 5, 2025via ghsa
commit
2 files changed · +11 0
  • datasette/app.py+5 0 modified
    @@ -2150,6 +2150,11 @@ async def handle_404(self, request, send, exception=None):
         context = {}
         if path.endswith(b"/"):
             path = path.rstrip(b"/")
+
+            # If you redirect with a // at the beginning, you end up with an open redirect, so
+            # https://my.site//foo/ - will redirect to https://foo
+            path = re.sub(rb"^/+", b"/", path)
+
             if request.scope["query_string"]:
                 path += b"?" + request.scope["query_string"]
             await asgi_send_redirect(send, path.decode("latin1"))
  • tests/test_custom_pages.py+6 0 modified
    @@ -97,3 +97,9 @@ def test_custom_route_pattern_404(custom_pages_client):
     assert response.status == 404
     assert "<h1>Error 404</h1>" in response.text
     assert ">Oh no</" in response.text
+
+
+def test_custom_route_pattern_with_slash_slash_302(custom_pages_client):
+    response = custom_pages_client.get("//nastyOpenRedirect/")
+    assert response.status == 302
+    assert response.headers["location"] == "/nastyOpenRedirect"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.