Nixpkgs security tracker

Untriaged

Permalink CVE-2026-28512

7.1 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): LOW
Availability impact (A): NONE

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

Pocket ID: OAuth redirect_uri validation bypass via userinfo/host confusion

Pocket ID is an OIDC provider that allows users to authenticate with their passkeys to your services. From 2.0.0 to before 2.4.0, a flaw in callback URL validation allowed crafted redirect_uri values containing URL userinfo (@) to bypass legitimate callback pattern checks. If an attacker can trick a user into opening a malicious authorization link, the authorization code may be redirected to an attacker-controlled host. This vulnerability is fixed in 2.4.0.

References

https://github.com/pocket-id/pocket-id/security/advisories/GHSA-9h33-g3ww-mqff x_refsource_CONFIRM
https://github.com/pocket-id/pocket-id/commit/3a339e33191c31b68bf57db907f800d9de5ffbc8 x_refsource_MISC

Affected products

pocket-id

==>= 2.0.0, < 2.4.0

Matching in nixpkgs

pkgs.pocket-id

OIDC provider with passkeys support

nixos-unstable 2.3.0
- nixpkgs-unstable 2.3.0
- nixos-unstable-small 2.4.0
nixos-25.11 1.15.0
- nixos-25.11-small 1.15.0
- nixpkgs-25.11-darwin 1.15.0

Package maintainers

@marcusramberg Marcus Ramberg <marcus@means.no>
@gepbird Gutyina Gergő <gutyina.gergo.2@gmail.com>
@ymstnt ymstnt

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.pocket-id

Package maintainers