# Open Redirect via Untrusted URLs

- ID: javascript-open-redirect
- Severity: MEDIUM
- CWE: Open Redirect (CWE-601)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs, nextjs

## Description

Detects user input flowing into redirect functions without URL validation.

## Detection Message

Untrusted input from {source} reaches redirect function at {sink}.
This allows an attacker to redirect users to malicious websites in phishing attacks.

## Remediation

Validate redirect URLs against an allowlist or ensure they are relative paths.

```javascript
const ALLOWED = ['/home', '/dashboard', '/profile'];
if (ALLOWED.includes(url) || url.startsWith('/')) {
  res.redirect(url);
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-601/open-redirect

## Documentation

[object Object]

## Related Rules

- **Open Redirect** [MEDIUM]: 
- **Next.js Open Redirect** [MEDIUM]: 
- **Open Redirect** [MEDIUM]: