In early 2022, a critical security flaw was discovered in Forge, a popular server management tool by Laravel. Tracked as CVE-2022-0122, this vulnerability allowed attackers to exploit an Open Redirect flaw, redirecting users to potentially malicious third-party websites. In this post, we’ll break down what happened, show actual code that demonstrates the issue, and explain how attackers could abuse it. Whether you’re a developer, security enthusiast, or just curious about web security, read on to see how this bug worked and how to stay safe.
What is Open URL Redirection?
Open URL redirection is when an application lets users input a URL and then redirects to that link, but fails to properly validate or restrict where users can go. This sounds harmless, but criminals love it because:
- Phishing: They can make links appear trustworthy (like forge.laravel.com), but send you elsewhere.
The CVE-2022-0122 Vulnerability
In Forge, certain endpoints (such as logout pages or invitation links) accepted user-supplied parameters (like redirect) and simply sent users to whatever URL was given, without checking if it was a safe or trusted domain. This classic mistake opened the door to phishing attacks.
To make it easy to understand, imagine Forge had a logout route such as
// routes/web.php
Route::get('/logout', function(Request $request) {
Auth::logout();
$redirect = $request->input('redirect', '/');
return redirect($redirect);
});
Here, if users visit
https://evil.example.com" rel="nofollow">https://forge.laravel.com/logout?redirect=https://evil.example.com
They would be redirected directly to the attacker’s site after logging out, inheriting much of the trust of the original site.
Why is this Dangerous?
- Makes phishing easier: Victims see “forge.laravel.com” in the URL, click, and then are whisked away to a hacker’s site after a real login/logout.
- Steals session details: In edge cases, if cookies are passed or other resources are fetched, it could enable more advanced attacks.
An attacker would craft a link like
https://forge.laravel.com/logout?redirect=https://badguy.example/phishing
They send this URL by email or social media, claiming (for instance) that the user must "log out for security reasons." After the victim logs out, Forge redirects them straight to the attacker's fake login page, which looks just like Forge and steals their credentials.
`
https://forge.laravel.com/logout?redirect=https://yourdomain.com
Proof of Concept (PoC)
GET /logout?redirect=https://evil.example.com HTTP/1.1
Host: forge.laravel.com
Immediately after visiting this, the browser shows https://evil.example.com.
Laravel Forge moved quickly to patch the bug by
- Whitelisting: They made sure the redirect parameter only allowed paths within the application (e.g., /dashboard), not full external URLs (https://...).
Example of safer code
$redirect = $request->input('redirect', '/');
if (!Str::startsWith($redirect, ['/'])) {
$redirect = '/';
}
return redirect($redirect);
Or, even better
$allowed = ['/dashboard', '/profile', '/projects'];
if (!in_array($redirect, $allowed)) {
$redirect = '/';
}
return redirect($redirect);
Official References
- NIST CVE-2022-0122 entry
- Huntr report (original disclosure)
- Laravel Forge official site
Use whitelists for every redirect parameter.
- Always check for schemes like //external.com or https://.
Conclusion
CVE-2022-0122 teaches us that even simple features like redirects require careful coding and validation. If left unchecked, they can lead to major phishing and social engineering attacks. Always double-check user-supplied URLs — security is everybody’s job!
If you maintain any web app, audit your code for similar bugs today.
*Stay safe, code smart!*
*Have thoughts or questions about this vulnerability? Drop them below!*
Timeline
Published on: 01/06/2022 05:15:00 UTC
Last modified on: 01/12/2022 20:14:00 UTC