chore(deps): update dependency @adonisjs/core to v7.3.1 [security] by renovate[bot] · Pull Request #6 · mikro-orm/adonis-example-app

renovate · 2026-05-02T07:12:29Z

This PR contains the following updates:

Package	Change	Age	Confidence
@adonisjs/core	`7.0.1` → `7.3.1`

@adonisjs/http-server has an Open Redirect vulnerability

CVE-2026-40255 / GHSA-6qvv-pj99-48qm

More information

Details

Impact

The response.redirect().back() method in @adonisjs/http-server is vulnerable to open redirects. The method reads the Referer header from the incoming HTTP request and redirects to that URL without validating the host. An attacker who can influence the Referer header (for example, by linking a user through an attacker-controlled page before a form submission) can cause the application to redirect users to a malicious external site.

This affects all AdonisJS applications that use response.redirect().back() or response.redirect('back').

The vulnerability is classified as CWE-601: URL Redirection to Untrusted Site ('Open Redirect').

Patches

This has been fixed in @adonisjs/http-server version 8.2.0. The back() method now validates the Referer header's host against the request's own Host header. Referrers from unrecognized hosts are rejected and the redirect falls back to / (or a developer-provided fallback URL).

Applications that operate across multiple domains can configure additional trusted hosts via the redirect.allowedHosts option in config/app.ts.

Users should upgrade to @adonisjs/http-server@^8.2.0 (or @adonisjs/core@^7.4.0 if using the core meta-package).

Workarounds

If upgrading is not immediately possible, avoid using response.redirect().back() in routes that are reachable by unauthenticated users or from pages that accept external traffic. Instead, redirect to a known safe path explicitly using response.redirect().toPath('/dashboard').

References

Severity

CVSS Score: 6.1 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

adonisjs/core (@adonisjs/core)

`v7.3.1`: Preventing open-redirect vulnerabilities during referer based redirects

Compare Source

Full Changelog: adonisjs/core@v7.3.0...v7.3.1

`v7.3.0`: Allow make commands to override existing files via --force flag

Compare Source

Features

add --force flag to all make commands (bb90a45)

Full Changelog: adonisjs/core@v7.2.0...v7.3.0

`v7.2.0`: Safe timing helpers, vine.create usage in validator stub and create building using custom tsconfig file

Compare Source

Bug Fixes

replace vine.compile with vine.create in validator stub (#5082) (487246a)
update validator test to use vine.create (9d7c8fc)

Features

allow passing custom tsconfig path to the build command (7e12fa4), closes #5083
allow passing custom ui instance to codemods (8cbb2c1)
safe timing helper (#5080) (5793b1f)

What's Changed

fix: replace vine.compile with vine.create in validator stub by @FlorianV85 in #5082
feat: safe timing helper by @Julien-R44 in #5080

New Contributors

@FlorianV85 made their first contribution in #5082

Full Changelog: adonisjs/core@v7.1.1...v7.2.0

`v7.1.1`: Fix indexEntities to create manifest file when `manifest.enabled` is true

Compare Source

Bug Fixes

enable manifest explicitly (038fc87)

Full Changelog: adonisjs/core@v7.1.0...v7.1.1

`v7.1.0`: Add JSONL route formatter for AI agents

Compare Source

Bug Fixes

linting and formatting issues (936b778)

Features

add JSONL route formatter for AI agents and improve command descriptions (b59a82b)
auto-select JSON output for list command when running in AI agent (f8d58a0)

Full Changelog: adonisjs/core@v7.0.1...v7.1.0

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

chore(deps): update dependency @adonisjs/core to v7.3.1 [security]

14ac88f

renovate Bot merged commit bbeeed7 into main May 3, 2026
1 check passed

renovate Bot deleted the renovate/npm-adonisjs-core-vulnerability branch May 3, 2026 12:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency @adonisjs/core to v7.3.1 [security]#6

chore(deps): update dependency @adonisjs/core to v7.3.1 [security]#6
renovate[bot] merged 1 commit intomainfrom
renovate/npm-adonisjs-core-vulnerability

renovate Bot commented May 2, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented May 2, 2026

@​adonisjs/http-server has an Open Redirect vulnerability

Details

Impact

Patches

Workarounds

References

Severity

References

Release Notes

v7.3.1: Preventing open-redirect vulnerabilities during referer based redirects

v7.3.0: Allow make commands to override existing files via --force flag

Features

v7.2.0: Safe timing helpers, vine.create usage in validator stub and create building using custom tsconfig file

Bug Fixes

Features

What's Changed

New Contributors

v7.1.1: Fix indexEntities to create manifest file when manifest.enabled is true

Bug Fixes

v7.1.0: Add JSONL route formatter for AI agents

Bug Fixes

Features

Configuration

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

@adonisjs/http-server has an Open Redirect vulnerability

`v7.3.1`: Preventing open-redirect vulnerabilities during referer based redirects

`v7.3.0`: Allow make commands to override existing files via --force flag

`v7.2.0`: Safe timing helpers, vine.create usage in validator stub and create building using custom tsconfig file

`v7.1.1`: Fix indexEntities to create manifest file when `manifest.enabled` is true

`v7.1.0`: Add JSONL route formatter for AI agents