Skip to main content

CVE-2024-52289

Reported by @PontusHanssen

Insecure default configuration for OAuth2 Redirect URIs

Summary

Redirect URIs in the OAuth2 provider in authentik are checked by RegEx comparison. When no Redirect URIs are configured in a provider, authentik will automatically use the first redirect_uri value received as an allowed redirect URI, without escaping characters that have a special meaning in RegEx. Similarly, the documentation did not take this into consideration either.

Given a provider with the Redirect URIs set to https://foo.example.com, an attacker can register a domain fooaexample.com, and it will correctly pass validation.

Patches

authentik 2024.8.5 and 2024.10.3 fix this issue.

The patched versions remedy this issue by changing the format that the Redirect URIs are saved in, allowing for the explicit configuration if the URL should be checked strictly or as a RegEx. This means that these patches include a backwards-incompatible database change and API change.

Manual action is required if any provider is intended to use RegEx for Redirect URIs because the migration will set the comparison type to strict for every Redirect URI.

Workarounds

When configuring OAuth2 providers, make sure to escape any wildcard characters that are not intended to function as a wildcard, for example replace . with \..

For more information

If you have any questions or comments about this advisory: