AFFiNE Vulnerability: Open Redirect Flaw Patched in v0.26.0

CVE Notify is flagging a critical open redirect vulnerability, CVE-2026-25477, that impacted AFFiNE, an open-source workspace and operating system. The flaw resided in the /redirect-proxy endpoint and allowed attackers to bypass domain validation by crafting malicious domains that mimicked trusted ones. Specifically, an improperly anchored Regular Expression was the culprit, enabling the injection of untrusted domains that ended with a whitelisted string.

This type of vulnerability, while seemingly minor, can be a stepping stone for more sophisticated attacks. Attackers could leverage an open redirect to send users to phishing pages, host malicious content, or even exploit browser vulnerabilities by redirecting users to specially crafted URLs. The good news is that AFFiNE has addressed this issue, patching the vulnerability in version 0.26.0. Users are strongly advised to update to this latest version to protect themselves.

This incident underscores the importance of rigorous validation, especially for endpoints handling external input like redirection proxies. Even seemingly straightforward code can harbor exploitable flaws if not carefully scrutinized, particularly concerning regex anchoring and domain sanitization.