Bunker Web 1.6.2 - Uncontrolled external site redirect

Description

An open redirect vulnerability has been identified in the BunkerWeb application version 1.6.2, specifically affecting the /loading endpoint.

This vulnerability enables attackers to redirect authenticated users to an arbitrary web server or domain.

Vulnerability

The vulnerable endpoint is '/loading', which accepts a 'next' parameter intended to redirect users after they have logged in.

The payload that bypasses application protection uses a protocol-relative path:

/loading?next=%2f%2fexample.com%2f

This payload decodes to:

/loading?next=//example.com

When the browser processes //example.com/, it interprets it as an external URL (https://example.com/) and this leads to an open redirect.

Exploitation scenario

• After logging in, users are automatically redirected to the '/loading' page.

• An attacker can create a link to '/loading?next=//malicious.site/', which redirects the victim after they have logged in.

• This redirect can also affect users who are already logged in, as accessing the endpoint directly triggers the redirection.

PoC

This is a link for a user who has already been authenticated:

https://bunkerwebapp.com/loading?next=%2f%2fexample.com%2f

This is a link for an unauthenticated user (who will be redirected once they have logged in):

https://bunkerwebapp.com/login?next=%2f%2fexample.com%2f

Our security policy

We have reserved the ID CVE-2025-8066 to refer to this issue from now on.

Disclosure policy

System Information

Bunker Web

• Version 1.6.2

• Operative System: Ubuntu 24.04 LTS x86_64

References

• Github Repository: https://github.com/bunkerity/bunkerweb

• Security: https://github.com/bunkerity/bunkerweb/security

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Johan Giraldo from Fluid Attacks' Offensive Team.