Impact
Probo's saferedirect package validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like /../\evil.com passed validation because the second character is .. Go's http.Redirect normalizes this path to /\evil.com before setting the Location header. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (https://evil.com), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft a continue parameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.
Patches
Fixed in go.probo.inc/probo by normalizing relative paths with path.Clean before validation, rejecting backslashes (including
percent-encoded %5c) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.
Self-hosted deployments should upgrade to probod v0.194.1 or later.
SaaS deployments on getprobo.com are patched.
Workarounds
No practical workaround for self-hosted installations. Upgrade to the patched release.
References
Impact
Probo's
saferedirectpackage validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like/../\evil.compassed validation because the second character is.. Go'shttp.Redirectnormalizes this path to/\evil.combefore setting theLocationheader. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (https://evil.com), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft acontinueparameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.Patches
Fixed in
go.probo.inc/proboby normalizing relative paths withpath.Cleanbefore validation, rejecting backslashes (includingpercent-encoded
%5c) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.Self-hosted deployments should upgrade to probod v0.194.1 or later.
SaaS deployments on getprobo.com are patched.
Workarounds
No practical workaround for self-hosted installations. Upgrade to the patched release.
References