GHSA-55p7-v223-x366: 
C# vulnerability analysis and mitigation

IdentityServer4 contains an Open Redirect vulnerability (GHSA-55p7-v223-x366) that affects all versions up to and including 4.1.2. The vulnerability was published and reviewed on July 31, 2024. This security issue affects the IdentityServer4 NuGet package, which is an OpenID Connect and OAuth 2.x framework for ASP.NET Core (GitHub Advisory).

The vulnerability allows attackers to craft malicious URLs that certain functions in IdentityServer will incorrectly treat as local and trusted. The affected components include the DefaultIdentityServerInteractionService's GetAuthorizationContextAsync method and IsValidReturnUrl method, which may incorrectly validate malicious URLs as safe. The vulnerability has been assigned a CVSS v4.0 score of 5.1 (Moderate severity) and is classified as CWE-601 (URL Redirection to Untrusted Site) (GitHub Advisory).

When exploited, if a malicious URL is returned as a redirect, some browsers will follow it to a third-party, untrusted site. While this vulnerability alone does not allow attackers to obtain user credentials, authorization codes, access tokens, refresh tokens, or identity tokens, it could be exploited as part of a phishing attack designed to steal user credentials (GitHub Advisory).

As IdentityServer4 is no longer supported, it will not receive security updates for this vulnerability. Users are recommended to upgrade to Duende.IdentityServer. If upgrading is not possible, a workaround is to use IUrlHelper.IsLocalUrl from ASP.NET Core to validate return URLs in user interface code in the IdentityServer host (GitHub Advisory).