## Open Redirect Vulnerability in WorkOS Auth Callback Exposes Authenticated Users to Phishing Risk
A high-severity open redirect vulnerability has been identified in the authentication callback handler of a web application using WorkOS. The flaw exists in the code responsible for redirecting users after a successful login, specifically in the route handling the OAuth flow callback. The vulnerability allows an attacker to redirect authenticated users to arbitrary external domains by manipulating HTTP headers that the application trusts without validation.

The affected code constructs the redirect target using the `x-forwarded-host` or `host` header values directly, without checking them against an allowlist. When an OAuth pending parameter exists, the application builds a URL by prepending the unvalidated host value to the authorization path, and in other cases it uses the same untrusted host for dashboard redirection. This means an attacker positioned to manipulate these headers—whether through a misconfigured reverse proxy, header injection, or via server-side request forgery—can cause the application to redirect users to any domain of their choosing.

The primary risk is phishing. Authenticated users following what appears to be a legitimate post-login redirect could be sent to attacker-controlled sites that mimic the real application. This is particularly dangerous because users expect to be redirected after successful authentication and are therefore likely to trust the destination. The code path affected is located in `apps/web/src/app/auth/callback/route.ts` at lines 51 through 62. Applications relying on this authentication pattern face scrutiny for potential credential theft and session compromise if users interact with malicious redirect targets.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: open-redirect, security-vulnerability, oauth, authentication, phishing
- **Credibility**: unverified
- **Published**: 2026-05-02 07:54:06
- **ID**: 78979
- **URL**: https://whisperx.ai/en/intel/78979