CVE-2025-1300: 
Python vulnerability analysis and mitigation

CodeChecker, an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy, contains an open redirect vulnerability identified as CVE-2025-1300. The vulnerability was discovered and disclosed on February 28, 2025, affecting CodeChecker versions through 6.24.5. The issue stems from missing protections against multiple slashes after the product name in the URL (GitHub Advisory, NVD).

The vulnerability occurs in the URL processing mechanism of the CodeChecker web server. When processing GET requests, the server first rewrites the path segment of the URL and then passes the rewritten URL to the webserver framework. The security flaw exists in the product name trimming process, where no proper sanitization is performed on the remaining URL. This implementation weakness bypasses the protections previously put in place against CVE-2021-28861. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network vector attack with low complexity and no privileges required (GitHub Advisory).

The vulnerability enables attackers to create hyperlinks that appear as legitimate CodeChecker URLs but redirect users to attacker-controlled websites when clicked. This poses a significant risk for phishing attacks and potential distribution of malware through seemingly trustworthy links (GitHub Advisory).

The vulnerability has been patched in CodeChecker version 6.24.6. Users are advised to upgrade to this version or later to mitigate the risk (GitHub Advisory).