GHSA-cf57-c578-7jvv: 
vulnerability analysis and mitigation

The vulnerability (GHSA-cf57-c578-7jvv) affects Anubis versions prior to 1.23.0, discovered in October 2025. When using subrequest authentication mode, Anubis failed to properly validate redirect URLs, allowing potential cross-site scripting (XSS) attacks through the redir parameter. The issue was initially reported by security researchers nijel and mbiesiad against Weblate (GitHub Advisory).

The vulnerability stems from insufficient URL validation in the subrequest authentication mode. When processing requests, Anubis would accept and redirect to any URL scheme without proper validation. For example, a malicious request like GET https://example.com/.within.website/?redir=javascript:alert() would result in a response with Location: javascript:alert(). The vulnerability has been assigned a CVSS score of 0.0 (Low severity) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N (GitHub Advisory).

While most modern browsers block redirects to javascript: URLs, the vulnerability could potentially trigger dangerous behavior in certain scenarios, particularly when using custom protocols for third-party applications. The issue affects all users implementing subrequest authentication in Anubis versions before 1.23.0 (GitHub Advisory).

The vulnerability has been patched in Anubis version 1.23.0. The fix includes additional validation at several steps of the flow to prevent open redirects in subrequest auth mode and implements automated testing to prevent similar issues in the future (Anubis Commit).