CVE-2023-49438: 
Python vulnerability analysis and mitigation

An open redirect vulnerability was discovered in Flask-Security-Too versions 5.3.2 and earlier. The vulnerability allows attackers to redirect unsuspecting users to malicious sites by exploiting the ?next parameter on the /login and /register routes (NVD, GitHub Advisory). The vulnerability was discovered in November 2023 and publicly disclosed on December 26, 2023.

The vulnerability exists due to insufficient validation of the URL specified within the next parameter. While Flask-Security-Too contains logic to validate that the URL is either relative or has the same network location as the requesting URL, this validation can be bypassed due to how web browsers normalize slashes in URLs. Example exploit URLs include 'https://example/login?next=/\github.com' and 'https://example/login?next=/github.com'. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability's impact is particularly significant for applications using Werkzeug >=2.1.0 as the WSGI layer, as this version changed the autocorrectlocationheader configuration to False by default. This means that location headers in redirects are relative by default, potentially affecting applications that were previously not vulnerable (GitHub Advisory).

Several mitigation options are available: 1) Update to Flask-Security-Too version 5.3.3 or later, 2) Add specific configuration options to the app including setting SECURITYREDIRECTVALIDATEMODE to 'regex' and configuring SECURITYREDIRECTVALIDATERE with appropriate validation patterns, or 3) For applications using Werkzeug >=2.1.0, manually ensure autocorrectlocationheader is set to True (GitHub Advisory).