CVE-2025-64716
MEDIUMAnubis < 1.23.0 - Open Redirect via Subrequest Authentication
Title source: llmDescription
Anubis is a Web AI Firewall Utility that challenges users' connections in order to protect upstream resources from scraper bots. Prior to version 1.23.0, when using subrequest authentication, Anubis did not perform validation of the redirect URL and redirects user to any URL scheme. While most modern browsers do not allow a redirect to `javascript:` URLs, it could still trigger dangerous behavior in some cases. Anybody with a subrequest authentication may be affected. Version 1.23.0 contains a fix for the issue.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/TecharoHQ/anubis/security/advisories/GHSA-cf57-c578-7jvv
Patch x_refsource_misc
https://github.com/TecharoHQ/anubis/commit/7ed1753fcced351c81961bf520a7bfb2caac6e88
Various Sources x_refsource_misc
https://pkg.go.dev/vuln/GO-2025-4086
Scores
CVSS v4
5.1
EPSS
0.0047
EPSS Percentile
37.0%
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-601
CWE-79
Status
published
Products (2)
TecharoHQ/anubis
0 - 1.23.0Go
TecharoHQ/anubis
< 1.23.0
Published
Nov 13, 2025
Tracked Since
Feb 18, 2026