The redirectBack() utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths (starting with //). An attacker can craft a same-origin URL with a double-slash path segment that passes the origin check but produces a Location header interpreted by browsers as a protocol-relative redirect to an external domain.
The vulnerable code is in src/utils/response.ts:89-97:
export function redirectBack(
event: H3Event,
opts: { fallback?: string; status?: number; allowQuery?: boolean } = {},
): HTTPResponse {
const referer = event.req.headers.get("referer");
let location = opts.fallback ?? "/";
if (referer && URL.canParse(referer)) {
const refererURL = new URL(referer);
if (refererURL.origin === event.url.origin) {
// BUG: pathname can be "//evil.com/path" which browsers interpret
// as a protocol-relative URL
location = refererURL.pathname + (opts.allowQuery ? refererURL.search : "");
}
}
return redirect(location, opts.status);
}
The root cause is a discrepancy between how the WHATWG URL parser and browsers handle double-slash paths:
new URL("http://target.com//evil.com/path").origin → "http://target.com" — origin check passesnew URL("http://target.com//evil.com/path").pathname → "//evil.com/path" — extracted as redirect locationLocation: //evil.com/path → interprets as protocol-relative URL → redirects to evil.comAttack scenario: The attacker shares a link like http://target.com//evil.com/page. If the target application has catch-all routes (common in SPAs built with h3/Nitro), the app serves its page at that URL. When the user navigates to an endpoint calling redirectBack(), the browser sends Referer: http://target.com//evil.com/page. The origin check passes, and the user...
2.0.1-rc.172.0.1-rc.18Exploitability
AV:NAC:LPR:NUI:RScope
S:UImpact
C:LI:LA:N5.4/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N