CVE-2024-21641

Flarum's Logout Route allows open redirects

Description

Flarum is open source discussion platform software. Prior to version 1.8.5, the Flarum `/logout` route includes a redirect parameter that allows any third party to redirect users from a (trusted) domain of the Flarum installation to redirect to any link. For logged-in users, the logout must be confirmed. Guests are immediately redirected. This could be used by spammers to redirect to a web address using a trusted domain of a running Flarum installation. The vulnerability has been fixed and published as flarum/core v1.8.5. As a workaround, some extensions modifying the logout route can remedy this issue if their implementation is safe.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 26.13% Top 5%
Vendor Advisory github.com
Affected: flarum framework
Published at:
Updated at:

References

Link Tags
https://github.com/flarum/framework/security/advisories/GHSA-733r-8xcp-w9mr patch vendor advisory
https://github.com/flarum/flarum-core/commit/ee8b3b4ad1413a2b0971fdd9e40f812d2a3a9d3a patch
https://github.com/flarum/framework/commit/7d70328471cf3091d92d95c382d277aec7996176 patch

Frequently Asked Questions

What is the severity of CVE-2024-21641?
CVE-2024-21641 has been scored as a medium severity vulnerability.
How to fix CVE-2024-21641?
To fix CVE-2024-21641, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-21641 being actively exploited in the wild?
It is possible that CVE-2024-21641 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~26% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-21641?
CVE-2024-21641 affects flarum framework.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.