In today’s security-conscious world, even small missteps in web applications can open the door to big troubles. CVE-2022-43985 is a great case in point – it exposed an open redirect vulnerability in the popular data orchestration tool, Apache Airflow, specifically affecting its /confirm endpoint in versions before 2.4.2. In this writeup, we’ll break down how this happened, show some code, and explain how an attacker could have taken advantage of it.
What is an Open Redirect?
An *open redirect* happens when a web application lets users provide a URL to which the server will redirect them, but doesn't bother to check if it's a safe, internal link. Attackers can leverage this to send users to malicious websites—perfect for phishing attacks.
Where Was the Problem?
Before version 2.4.2, Apache Airflow's webserver had a /confirm endpoint typically used during password resets or similar confirmation flows, like:
https://airflow.example.com/confirm?redirect=https://malicious.com
It took a redirect parameter and, if given, would send the user there—without checking whether it was actually a trustworthy destination!
The Vulnerable Code
Here’s a simplified (and vulnerable) Python/Flask snippet similar to what existed in Airflow before the fix:
from flask import request, redirect
@app.route('/confirm')
def confirm():
redirect_url = request.args.get("redirect", "/home")
# 🚨 No validation here!
return redirect(redirect_url)
How Could Attackers Exploit It?
1. Phishing: They’d send users a legit-looking Airflow link, but the redirect would go to their evil site:
`
https://airflow.example.com/confirm?redirect=https://evil.com
`
The victim thinks they’re clicking an internal link, but after the confirmation, they land at the malicious site.
2. Stealing Cookies: If your users are auto-logged into Airflow, attackers could mimic your login process, trick them into logging in, and redirect them away to a site ready to snatch any open session tokens (unless protected with HttpOnly/SameSite).
3. Malicious Payloads: Open redirects can be chained with other techniques—think OAuth token theft or malware downloads.
The Patch
Recognizing the severity, the Airflow team quickly patched this. In the fixed version, only safe local redirects are honored:
from flask import request, redirect, url_for
@app.route('/confirm')
def confirm():
redirect_url = request.args.get("redirect")
# Check if redirect is to a relative/local URL only:
if redirect_url and not is_safe_url(redirect_url):
return redirect(url_for('home'))
return redirect(redirect_url or url_for('home'))
def is_safe_url(target):
from urllib.parse import urlparse, urljoin
ref_url = urlparse(request.host_url)
test_url = urlparse(urljoin(request.host_url, target))
return test_url.scheme in ('http', 'https') and ref_url.netloc == test_url.netloc
Check your Airflow version
airflow version
If it’s before 2.4.2, update!
You can also test manually:
Visit /confirm?redirect=https://www.google.com
If you get redirected away from your Airflow domain, you’re vulnerable.
Resources & References
- Official CVE Entry
- ASF JIRA ticket AIRFLOW-9379 (Patch discussion)
- Apache Airflow Release Notes 2.4.2
Final Thoughts
It’s easy to overlook something as “small” as a redirect parameter. But as CVE-2022-43985 shows, attackers love those opportunities. Always validate and sanitize user inputs, especially URLs! And if you’re running Airflow—patch now if you haven’t.
Timeline
Published on: 11/02/2022 12:15:00 UTC
Last modified on: 11/03/2022 13:52:00 UTC