Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3599248 by marioniangi
A bypass exists for the previously patched open redirect vulnerability (report #3581815)
on lovable.dev. The original fix blocked backslash-based payloads (/\ and /%5C), but
fails to account for path traversal sequences combined with double slashes. By supplying
/..//google.com as the redirect value, an attacker can still redirect authenticated
users to arbitrary external domains.
After logging in, the application processes a redirect via: https://lovable.dev/auth/post-login?redirect=/..//google.com
pyus3rA Open Redirect vulnerability was identified within an OAuth authorization flow endpoint. The vulnerability occurs because the callback_url (or equivalent redirect parameter) is validated using an insecure string prefix match instead of exact parsing.
pyus3rA base64-encoded query parameter on a login/terms acceptance page was decoded and used directly in window.location.href with only protocol validation — no domain check. The writeup covers tracing the vulnerable code in the Angular bundle, crafting the payload, and why the legitimate branding makes this particularly effective for phishing.
No comments yet.
Be the first to share your thoughts
Log in to join the discussion.
Sign In