CVE-2025-62379: 
Python vulnerability analysis and mitigation

CVE-2025-62379 affects Reflex, a library for building full-stack web applications in Python, versions 0.5.4 through 0.8.14. The vulnerability involves an open redirect issue in the /auth-codespace endpoint, which automatically assigns unvalidated redirect_to query parameter values to client-side links and triggers automatic clicks in GitHub Codespaces environments (GitHub Advisory, NVD).

The vulnerability occurs in the /auth-codespace endpoint where the code assigns the redirectto query parameter directly to a.href without validation and immediately triggers a click for automatic navigation. This behavior is activated when a Codespaces environment is detected through environment variables, specifically when GITHUBCODESPACESPORTFORWARDING_DOMAIN is set. The execution is based on a sessionStorage flag, triggering on first visits or in incognito/private browsing windows, with no server-side origin/scheme whitelist or internal path enforcement defenses. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (LOW) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N (GitHub Advisory).

The vulnerability enables phishing and social engineering attacks by allowing immediate redirection from trusted domains to external malicious sites. This can lead to login page spoofing, credential harvesting, and redirection to malware distribution pages. Additionally, it can disrupt authentication and session flows when users with valid sessions are redirected to unintended external domains, potentially escalating into security incidents when combined with redirect-based flows like OAuth/OIDC (GitHub Advisory).

The vulnerability has been patched in version 0.8.15. As a workaround, users should ensure that GITHUBCODESPACESPORTFORWARDINGDOMAIN is not set in production environments. This can be verified using the assertion: assert os.getenv("GITHUBCODESPACESPORTFORWARDINGDOMAIN") is None (GitHub Advisory, NVD).