CVE-2025-60868: 
PHP vulnerability analysis and mitigation

The Alt Redirect 1.6.3 addon for Statamic contains a security vulnerability identified as CVE-2025-60868, discovered in October 2025. The vulnerability affects the Query String Strip feature, which fails to consistently strip query string parameters. This security mechanism bypass vulnerability was found in Alt Redirect version 1.6.3 running on Statamic v5.64 (GitHub POC, Release Notes).

The vulnerability stems from a query-string stripping logic flaw where the Query String Strip feature fails to properly handle case variations, double-encoded parameters, and duplicate query parameters. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (AttackerKB).

The vulnerability can lead to multiple security issues including cache poisoning where different encoded/cased forms are treated as distinct keys, parameter pollution affecting downstream routing or business logic, inconsistent or malformed redirects resulting in 404 responses, and potential denial-of-service if exploited at scale (GitHub POC).

The vulnerability has been patched in Alt Redirect version 1.6.4, released on October 13th, 2025. The update improves validation and normalization in the query string stripping logic to resolve cases where certain query parameters could bypass stripping. Users are recommended to upgrade to version 1.6.4 to ensure redirects behave safely and consistently (Release Notes).