GHSA-564j-v29w-rqr6: 
Python vulnerability analysis and mitigation

A moderate severity open redirect vulnerability (GHSA-564j-v29w-rqr6) was discovered in Khoj's login page affecting versions prior to 1.14.0. The vulnerability was disclosed on July 8, 2024, and allows attackers to use the 'next' parameter on the login page to redirect victims to malicious pages while masking them with legitimate-looking app.khoj.dev URLs (GitHub Advisory).

The vulnerability exists in the authentication module (auth.py) where the 'next' parameter in the login URL is not properly validated. When a URL like https://app.khoj.dev/login?next=//example.com is accessed in Gecko-based browsers like Firefox, it redirects users to https://example.com. The issue was identified in the auth method at line 95 of the source code. The vulnerability has been assigned a CVSS v4.0 score of 6.3, indicating moderate severity, with attack vector being Network, attack complexity Low, and requiring no privileges (GitHub Advisory).

The vulnerability's impact is considered low and primarily poses a risk through potential phishing attempts. Attackers could exploit this vulnerability to redirect users to malicious websites while appearing to come from a legitimate Khoj domain (GitHub Advisory).

The vulnerability has been patched in version 1.14.0 of Khoj. The fix involves implementing proper validation of the next URL parameter to ensure it only redirects to relative paths within the current domain (GitHub Commit).