Skip to content

fix(gui): mitigate CVE-2026-48710 (BadHost)#73

Merged
aig-hannes merged 2 commits into
mainfrom
fix/cve-2026-48710-badhost
May 27, 2026
Merged

fix(gui): mitigate CVE-2026-48710 (BadHost)#73
aig-hannes merged 2 commits into
mainfrom
fix/cve-2026-48710-badhost

Conversation

@melifaro
Copy link
Copy Markdown
Contributor

@melifaro melifaro commented May 27, 2026

Summary

  • Replace request.url.path with request.scope["path"] in require_gui_user() to prevent Host header forgery from manipulating the login redirect returnTo parameter (CVE-2026-48710)
  • Bump starlette dependency from >=1.0.0 to >=1.0.1 (lockfile: 1.0.0 → 1.1.0)
  • Update tests to use request.scope["path"] instead of request.url.path

Why

Starlette < 1.0.1 constructs request.url by concatenating the HTTP Host header with the request path without sanitization. An attacker can forge request.url.path via crafted Host headers. In require_gui_user(), this was used to build the returnTo login redirect — an open redirect vector.

request.scope["path"] uses the ASGI scope path set by the server from the actual request target, which is not derived from the Host header.

Downstream impact

All NiceGUI apps built on aignostics-foundry-core (bridge, hermes, etc.) inherit this fix automatically when they bump their dependency. No code changes needed in consuming projects.

Test plan

  • mise run lint passes
  • TestRequireGuiUser — all 3 tests pass (redirect, authenticated, return_to override)
  • CI pipeline passes

🤖 Generated with Claude Code

@melifaro melifaro requested a review from a team as a code owner May 27, 2026 13:36
aig-hannes
aig-hannes approved these changes May 27, 2026
View reviewed changes
Copy link
Copy Markdown

@aig-hannes aig-hannes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

melifaro and others added 2 commits May 27, 2026 16:20
@melifaro @claude
fix(gui): mitigate CVE-2026-48710 (BadHost) auth bypass vector
b0c9bac 
Use `request.scope["path"]` instead of `request.url.path` in
`require_gui_user()` to prevent Host header forgery from manipulating
the login redirect `returnTo` parameter. Bump starlette >= 1.0.1.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@melifaro
chore: regenerate mise.lock
7f0ce0b
@melifaro melifaro force-pushed the fix/cve-2026-48710-badhost branch from d359460 to 7f0ce0b Compare May 27, 2026 14:21
@codecov
Copy link
Copy Markdown

codecov Bot commented May 27, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Files with missing lines Coverage Δ
src/aignostics_foundry_core/gui/auth.py 93.18% <100.00%> (ø)

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 27, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@aig-hannes aig-hannes merged commit 97a876d into main May 27, 2026
12 checks passed
@aig-hannes aig-hannes deleted the fix/cve-2026-48710-badhost branch May 27, 2026 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aig-hannes aig-hannes aig-hannes approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@melifaro @aig-hannes