CTFd 3.8.5 has been released with a security fix for an open redirect vulnerability.
A bypass that affected certain browsers was identified for the open redirect vulnerability patched in 3.8.4.
For context, this open redirect occurred when registering or logging into an account via malicious crafted URLs. This could result in users being phished or otherwise tricked if a user fully logs in through one of those crafted URLs.
We recommend all CTFd users update their instance to v3.8.5.
If your CTFd instance cannot be easily updated, we recommend making the following temporary stop-gap measures:
-
Adding a proxy configuration to remove the
nextquery parameter. For example in nginx:# Strip the `next` query parameter before proxying if ($arg_next) { return 301 $uri; }
v3.8.5 has already been deployed to Hosted CTFd customers. Self-hosted users can download the latest version of CTFd from Github or by downloading the latest version of the Enterprise installer from their account at https://cloud.ctfd.io/.