MEDIUM 6.1
PYSEC-2026-631
Open Redirect in django-spirit
Details
django-spirit prior to version 0.12.3 is vulnerable to open redirect. In the /user/login endpoint, it doesn't check the value of the next parameter when the user is logged in and passes it directly to redirect which result to open redirect. This also affects /user/logout, /user/register, /user/login, /user/resend-activation.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / django-spirit
Introduced in:
0 Fixed in: 0.12.3 Fix
pip install --upgrade 'django-spirit>=0.12.3' References
- https://nvd.nist.gov/vuln/detail/CVE-2022-0869 [ADVISORY]
- https://github.com/nitely/spirit/commit/8f32f89654d6c30d56e0dd167059d32146fb32ef [WEB]
- https://github.com/nitely/spirit [PACKAGE]
- https://huntr.dev/bounties/ed335a88-f68c-4e4d-ac85-f29a51b03342 [WEB]
- https://pypi.org/project/django-spirit [PACKAGE]
- https://github.com/advisories/GHSA-5p9j-w2wx-qx4c [ADVISORY]