Will It Vibe?
SEC-023High severity-15 points

Open redirect via unsanitized query param

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

Redirecting to a URL taken directly from request input lets attackers craft phishing redirect links.

Why it matters

When a redirect target comes straight from the query string, anyone can craft a link on your domain that bounces users to a phishing site, borrowing your domain's credibility. These links pass casual inspection because the visible URL is yours. Login and logout redirects are the usual targets.

How to fix it

Validate the destination before redirecting: accept only relative paths that start with a single '/' (rejecting '//' and backslash variants), or look the value up in a map of named allowed destinations, falling back to '/' on anything else. Never redirect to a fully user-supplied absolute URL.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks