Capgo - Open Redirect via Unvalidated Stripe Billing URLs

An authenticated attacker with `org.update_billing` permission sends a POST request to `/functions/v1/private/stripe_portal` or `/functions/v1/private/stripe_checkout` with a `callbackUrl`, `successUrl`, or `cancelUrl` pointing to an attacker-controlled domain (e.g., `https://example.com/...`). The backend passes these unvalidated URLs directly to Stripe's `return_url`, `success_url`, and `cancel_url` parameters. When the victim completes the Stripe billing flow and clicks the return/cancel link, the browser redirects to the attacker's domain, enabling phishing or credential harvesting. [ref_id=1]

The advisory states that version 12.128.2 patches the vulnerability, but the patch diff is not included in the bundle. Based on the advisory, the fix would require adding an allowlist validation on the `callbackUrl`, `successUrl`, and `cancelUrl` parameters before passing them to Stripe, ensuring only permitted (same-origin) URLs are accepted. Without the patch, the backend blindly forwards any user-supplied URL to Stripe's session creation calls. [ref_id=1]

The advisory includes two curl-based PoCs. For the Billing Portal, send `POST /functions/v1/private/stripe_portal` with body `{"orgId":"<ORG_ID>","callbackUrl":"https://example.com/capgo-portal-return"}`. For Checkout, send `POST /functions/v1/private/stripe_checkout` with body `{"orgId":"<ORG_ID>","priceId":"<PROD>","recurrence":"month","successUrl":"https://example.com/checkout-success","cancelUrl":"https://example.com/checkout-cancel"}`. In both cases, opening the returned Stripe session URL and clicking the return/cancel link redirects the victim to the attacker-controlled domain. [ref_id=1]