Security: Potential open redirect due to unvalidated redirect path fallback logic

[tuanaiseo]

Problem

getRedirectOrDefault returns the provided redirect string directly when present. If this value is user-controlled and later used in a redirect response, it can enable open redirect attacks to external sites.

Severity: medium
File: packages/adapter-nextjs/src/auth/utils/getRedirectOrDefault.ts

Solution

Validate redirect targets before use: allow only relative paths (e.g., starting with / and not //) or enforce a strict origin allowlist for absolute URLs. Normalize and reject invalid or external destinations.

Changes

• packages/adapter-nextjs/src/auth/utils/getRedirectOrDefault.ts (modified)

Testing

• Existing tests pass
• Manual review completed
• No new warnings/errors introduced

[changeset-bot]

⚠️ No Changeset found

Latest commit: 210b050

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR