Medium · CVSS 5.1Open Redirect (CWE-601)
Bypass of Open Redirect Fix on lovable.dev via /..// Path Traversal in redirect parameter
Vulnerability Summary
HackerOne disclosed report --> https://hackerone.com/reports/3599248 by marioniangi
Summary:
A bypass exists for the previously patched open redirect vulnerability (report #3581815)
on lovable.dev. The original fix blocked backslash-based payloads (/\ and /%5C), but
fails to account for path traversal sequences combined with double slashes. By supplying
/..//google.com as the redirect value, an attacker can still redirect authenticated
users to arbitrary external domains.
After logging in, the application processes a redirect via: https://lovable.dev/auth/post-login?redirect=/..//google.com