Nixpkgs security tracker
6.1 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): CHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
@adonisjs/http-server has an Open Redirect vulnerability
AdonisJS HTTP Server is a package for handling HTTP requests in the AdonisJS framework. In @adonisjs/http-server versions prior to 7.8.1 and 8.0.0-next.0 through 8.1.3, and @adonisjs/core versions prior to 7.4.0, the response.redirect().back() method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host.An attacker who can influence the Referer header can cause the application to redirect users to a malicious external site. This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back'). This issue has been fixed in versions 7.8.1 and 8.2.0 and 7.4.0 of @adonisjs/core.
References
-
https://github.com/adonisjs/http-server/security/advisories/GHSA-6qvv-pj99-48qm x_refsource_CONFIRM
-
https://github.com/adonisjs/http-server/releases/tag/v7.8.1 x_refsource_MISC
-
https://github.com/adonisjs/http-server/releases/tag/v8.2.0 x_refsource_MISC
Affected products
- ==< 7.4.0
- ==>= 8.0.0-next.0, < 8.2.0
- ==< 7.8.1
Matching in nixpkgs
pkgs.http-server
Simple zero-configuration command-line http server
pkgs.simple-http-server
Simple HTTP server in Rust
pkgs.perlPackages.HTTPServerSimple
Lightweight HTTP server
pkgs.perl5Packages.HTTPServerSimple
Lightweight HTTP server
pkgs.perlPackages.NetAsyncHTTPServer
Serve HTTP with IO::Async
pkgs.perl538Packages.HTTPServerSimple
Lightweight HTTP server
pkgs.perl540Packages.HTTPServerSimple
Lightweight HTTP server
pkgs.perl5Packages.NetAsyncHTTPServer
Serve HTTP with IO::Async
pkgs.perlPackages.HTTPServerSimplePSGI
Perl Web Server Gateway Interface Specification
pkgs.perlPackages.TestHTTPServerSimple
Test::More functions for HTTP::Server::Simple
pkgs.perl538Packages.NetAsyncHTTPServer
Serve HTTP with IO::Async
pkgs.perl540Packages.NetAsyncHTTPServer
Serve HTTP with IO::Async
pkgs.perl5Packages.HTTPServerSimplePSGI
Perl Web Server Gateway Interface Specification
pkgs.perl5Packages.TestHTTPServerSimple
Test::More functions for HTTP::Server::Simple
pkgs.perlPackages.HTTPServerSimpleMason
Simple mason server
pkgs.perl5Packages.HTTPServerSimpleMason
Simple mason server
pkgs.perlPackages.HTTPServerSimpleAuthen
Authentication plugin for HTTP::Server::Simple
pkgs.haskellPackages.symantic-http-server
symantic-http applied to the derivation of HTTP servers
-
nixos-unstable 0.1.1.20190410
- nixpkgs-unstable 0.1.1.20190410
- nixos-unstable-small 0.1.1.20190410
-
nixos-25.11 0.1.1.20190410
- nixos-25.11-small 0.1.1.20190410
- nixpkgs-25.11-darwin 0.1.1.20190410
pkgs.perl538Packages.HTTPServerSimplePSGI
Perl Web Server Gateway Interface Specification
pkgs.perl538Packages.TestHTTPServerSimple
Test::More functions for HTTP::Server::Simple
pkgs.perl540Packages.HTTPServerSimplePSGI
Perl Web Server Gateway Interface Specification
pkgs.perl540Packages.TestHTTPServerSimple
Test::More functions for HTTP::Server::Simple
pkgs.perl5Packages.HTTPServerSimpleAuthen
Authentication plugin for HTTP::Server::Simple
pkgs.perl538Packages.HTTPServerSimpleMason
Simple mason server
pkgs.perl540Packages.HTTPServerSimpleMason
Simple mason server
pkgs.perl538Packages.HTTPServerSimpleAuthen
Authentication plugin for HTTP::Server::Simple
pkgs.perl540Packages.HTTPServerSimpleAuthen
Authentication plugin for HTTP::Server::Simple
Package maintainers
-
@anoadragon453 Andrew Morgan <andrew@amorgan.xyz>
-
@Mephistophiles Maxim Zhukov <mussitantesmortem@gmail.com>
-
@JarvisCraft Petr Portnov <mrjarviscraft+nix@gmail.com>