skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 13, 2023

GHSL-2022-138: open redirect in lorawan stack - CVE-2023-26494

Kevin Stubbings

Coordinated Disclosure Timeline


An open redirect exists on the login page of the lorawan stack server, allowing an attacker to supply a user controlled redirect upon sign in.



Tested Version



Upon successful login on the /oauth/login and /oauth/token-login endpoints, the user is directed to the value of the n parameter by assigning n’s value to window.location.

Issue: Open Redirect (GHSL-2022-138)

An Open Redirect vulnerability exists in the /oauth/login and /oauth/token-login endpoints.

const url = (location, omitQuery = false) => {
  const query = Query.parse(

  const next = query.n || appRoot

  if (omitQuery) {
    return next.split('?')[0]

  return next

Proof Of Concept

  1. Ensure you are logged out from lorawan stack.
  2. Log into lorawan stack using http://server/oauth/login?n=, where the value of n represents the domain you wish to redirect to.


This issue may allows malicious actors to phish users, as users assume they were redirected to the homepage on login.




This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).


You can contact the GHSL team at, please include a reference to GHSL-2022-138 in any communication regarding this issue.