## Critical Open Redirect Flaw in set_lang Endpoint Exposes Users to Phishing via Unvalidated Referer Header A critical open redirect vulnerability has been identified in the set_lang endpoint within app/routers/auth.py, according to a P0 security finding from a code review conducted on May 2, 2026. The endpoint directly incorporates the Referer header into RedirectResponse without validation, allowing an attacker to redirect authenticated users to any external domain. A request carrying Referer: https://evil.com would seamlessly forward the user to an attacker-controlled site, exploiting trust established by the legitimate application. The vulnerability is straightforward in structure but significant in impact. When set_lang processes a request, it extracts the Referer value and uses it as the redirect target without any origin verification. This means any malicious page that triggers a request to the vulnerable endpoint can capture the user and deliver them to a phishing landing page, credential harvester, or malware host. The exploitation requires no special privileges or user interaction beyond standard navigation, making it directly weaponizable in targeted campaigns or mass phishing operations. The security finding classifies this as production-exploitable with direct impact, placing it at the highest priority for remediation. Proposed fixes center on same-origin validation: the set_lang endpoint must restrict redirects to relative paths only, stripping external Referer values down to path and query components. Acceptance criteria require implementation of test_set_lang_rejects_external_redirect to verify that no redirect to external domains occurs. Without immediate action, any user interacting with the affected endpoint remains vulnerable to crafted Referer-based redirection attacks. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: open-redirect, referer-header, security-vulnerability, authentication, phishing - **Credibility**: unverified - **Published**: 2026-05-02 01:54:09 - **ID**: 78943 - **URL**: https://whisperx.ai/en/intel/78943