CWE-647
Use of Non-Canonical URL Paths for Authorization Decisions
VariantIncompleteLikelihood: High
Description
The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
Hierarchy (View 1000)
CVEs mapped to this weakness (2)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-43916 | Low | 0.22 | 3.4 | 0.00 | Apr 21, 2025 | Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have further implications in conjunction with "Decompiling the app revealed a hardcoded secret." | |
| CVE-2025-47241 | Med | 0.19 | 4.0 | 0.00 | May 3, 2025 | In browser-use (aka Browser Use) before 0.1.45, URL parsing of allowed_domains is mishandled because userinfo can be placed in the authority component. |