gematik ref-idp-server
Open Redirect via Unvalidated redirect_uri
The gematik ref-idp-server contains an open redirect vulnerability in its error handler. When parameter validation fails, the redirect_uri from the HTTP request is used without validation against registered OAuth clients, allowing attackers to redirect users to malicious sites.
Description
When a parameter validation error triggers a 302 error response, the redirect_uri is read directly from the HTTP request without validation against registered clients. While the normal authentication flow validates redirect_uri against registered clients, this validation is bypassed when Jakarta Bean Validation annotations on request parameters fail before the controller method body executes.
An attacker can craft a request with a valid client_id but an invalid code_challenge or other parameter. The resulting ConstraintViolationException is handled by the error handler, which redirects to the attacker-controlled redirect_uri without ever calling the redirect_uri validation.
Impact
- OAuth phishing: attackers can craft links that appear to originate from the trusted IDP domain but redirect healthcare users to a phishing site.
- Credential theft via social engineering when combined with a convincing phishing page.
Mitigation
Update to ref-idp-server version 30.0.5 or greater, which validates redirect_uri in all error paths.