gematik ref-idp-server
Open Redirect via Unvalidated redirect_uri
The gematik ref-idp-server contains an open redirect vulnerability in its error handler. When parameter validation fails, the redirect_uri from the HTTP request is used without validation against registered OAuth clients, allowing attackers to redirect users to malicious sites.
Description
The normal authentication flow validates the redirect_uri parameter against registered OAuth clients in the controller method body. However, Jakarta Bean Validation annotations on request parameters (such as @Pattern on state, nonce, code_challenge, and code_challenge_method) are evaluated before the controller body executes.
In the normal flow, the redirect_uri is validated against registered clients:
IdpController.java:95
idpAuthenticator.validateRedirectUri(clientId, redirectUri);But this validation is inside the controller method body. When Jakarta Bean Validation annotations on parameters fail, a ConstraintViolationException is thrown before the controller body executes. The exception is handled by buildForwardingError, which reads the redirect_uri directly from the HTTP request and uses it for a 302 redirect, without ever calling validateRedirectUri:
IdpServerExceptionHandler.java:100-130
final String redirectUri = request.getParameter("redirect_uri");if (redirectUri == null) { // ... return 400} else { final UriBuilder uriBuilder = UriBuilder.fromPath(redirectUri) .queryParam("error", ...) .queryParam("gematik_code", ...); // ... response.setHeader(HttpHeaders.LOCATION, location.toString()); return new ResponseEntity<>(HttpStatus.FOUND);}The redirect_uri validation in createIdpErrorResponse only applies to MissingServletRequestParameterException, not to ConstraintViolationException. Any request that triggers a parameter format validation error will redirect to whatever redirect_uri the attacker supplies.
An attacker can exploit this by sending a request with a valid client_id but an intentionally malformed code_challenge. The value fails the expected regex pattern, triggering error code 2010 with HTTP status 302. The error handler then redirects the user to the attacker-controlled URL:
Proof of concept
curl -v 'https://idp.example.com/sign_response?\ client_id=eRezeptApp&\ redirect_uri=https://evil.com&\ response_type=code&\ scope=openid+e-rezept&\ code_challenge=too_short&\ code_challenge_method=S256&\ state=x&nonce=y'Impact
- OAuth phishing: attackers can craft links that appear to originate from the trusted IDP domain but redirect healthcare users to a phishing site.
- Credential theft via social engineering when combined with a convincing phishing page.
Mitigation
Update to ref-idp-server version 30.0.5 or greater, which validates redirect_uri in all error paths.
References
How We Can Help
Who We Are
The security researchers behind this advisory.
Dr. rer. nat. Simon Weber
Senior Pentester & MedSec Researcher
I evaluate your SaMD with the same industry-defining security insight I contributed to the BAK MV for the revision of the B3S standard.
- PhD on Hospital Cybersecurity
- Critical vulnerabilities found in hospital systems
- Alumni of THB MedSec Research Group
- gematik Security Hero
Dipl.-Inf. Volker Schönefeld
Senior Application Security Expert
As a former CTO and developer turned pentester, I work alongside your team to uncover vulnerabilities and find solutions that fit your architecture.
- 20+ years as CTO, 50M+ app downloads
- Architected and secured large-scale IoT fleets
- Certified Web Exploitation Specialist
- gematik Security Hero
Looking for a Penetration Test?
Machine Spirits specializes in security assessments for medical devices and healthcare IT. From MDR penetration testing to C5 cloud compliance, we help MedTech companies meet regulatory requirements.