Redirect Vulnerability in Reflex Library for Full-Stack Web Apps
CVE-2025-62379

3.1LOW

Key Information:

Vendor: Reflex-dev
Status: Reflex
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-62379?

The Reflex library, utilized for building full-stack web applications in Python, contains a vulnerability that affects versions 0.5.4 through 0.8.14. This issue is found at the /auth-codespace endpoint, which improperly assigns the redirect_to query parameter directly to client-side links without performing necessary validations. When triggered in a GitHub Codespaces environment, this flaw allows unauthorized redirection to arbitrary external URLs through automatic clicks upon page load. The impact is exacerbated as this vulnerable behavior can also be activated in production settings when the GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN environment variable is set. Thus, the vulnerability can expose users to potential phishing threats and unauthorized access to malicious external sites. The issue was corrected in version 0.8.15, and users are advised to avoid setting the environment variable in production contexts as an interim measure.

Affected Version(s)

reflex >= 0.5.4, < 0.8.15

References

https://github.com/reflex-dev/reflex/security/advisories/...

x_refsource_CONFIRM

https://github.com/reflex-dev/reflex/commit/ade12549f3c0d...

x_refsource_MISC

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Oct 10, 2025

JSON

Reflex-dev

What is CVE-2025-62379?

Affected Version(s)

References

CVSS V3.1

Timeline