Open redirect on Rapid7? That's a fun one. Too bad there are no posts from Rapid7 linked in the CVE.

Rapid7 Corporate Website prior to May 2nd 2025, suffered from a URL Redirection to Untrusted Site ('Open Redirect') vulnerability whereby, due to misconfigured headers, an attacker could successfully redirect users to a malicious site of their control.
This vulnerability has been fixed as of May 2nd 2025.

https://nvd.nist.gov/vuln/detail/CVE-2025-4132

@cR0w Custom services get CVE's now?

@buherator It's the first time I've seen it for something like this but we're in the new age of CVE. Pad those resumes.

@cR0w I think we'd need at least another digit given the shit I've seen on the open web in the last few decades...

@buherator IDK, at this rate, CVE won't survive long enough to need it.

@cR0w yeah don’t bother telling people where the redirect was so they could check their proxy logs or anything. sigh.

@todb Right? There is no usable info, which seems especially egregious given that Rapid7 was also the CNA.

@cR0w @todb this is my shocked face

@hrbrmstr @cR0w reached out to the cna point of contact

it’s also missing the exclusively hosted service tag.

https://www.cve.org/Media/News/item/blog/2022/09/13/Dispelling-the-Myth-CVE-ID

@todb @cR0w foxes patrolling their own hen house was really not a great idea. I know the board disagrees, but I’m used to other humans being defiantly wrong 🙃

@hrbrmstr @cR0w well it all ends up being public so shenanigans are easily detected.