[Security] Open Redirect vulnerability via double-slash pathname in history v4.x (CVE-2025-68470) #982
Description
Reproduction
Fork with failing tests: https://github.com/ebsmoove/history/tree/bug-report/v4-open-redirect-cve-2025-68470
Steps to reproduce:
- Clone the fork:
git clone https://github.com/ebsmoove/history.git - Checkout branch:
git checkout bug-report/v4-open-redirect-cve-2025-68470 - Install dependencies:
npm install - Run tests:
npm test - Observe 8 failing tests demonstrating the open redirect vulnerability
Fix available: #981
System Info
System:
OS: macOS 15.6.1
CPU: (12) arm64 Apple M2 Pro
Memory: 1.98 GB / 32.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.14.0 - /Users/X/.asdf/installs/nodejs/22.14.0/bin/node
npm: 10.9.2 - /Users/X/.asdf/plugins/nodejs/shims/npm
Used Package Manager
npm
Expected Behavior
Pathnames with embedded double-slashes like //evil.com should be normalized to /evil.com to prevent the browser from interpreting them as protocol-relative URLs that redirect to external sites.
Actual Behavior
Pathnames with embedded double-slashes like //evil.com are passed through unchanged, allowing browsers to interpret them as protocol-relative URLs (e.g., https://evil.com), enabling open redirect attacks.