From 210b0503c1754702551d7c375df91b4363148f29 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Sun, 12 Apr 2026 06:31:29 +0700
Subject: [PATCH] fix(security)(adapter-nextjs): potential open redirect due to
 unvalidated redirec

`getRedirectOrDefault` returns the provided `redirect` string directly when present. If this value is user-controlled and later used in a redirect response, it can enable open redirect attacks to external sites.

Affected files: getRedirectOrDefault.ts

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 packages/adapter-nextjs/src/auth/utils/getRedirectOrDefault.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/adapter-nextjs/src/auth/utils/getRedirectOrDefault.ts b/packages/adapter-nextjs/src/auth/utils/getRedirectOrDefault.ts
index 0be30a78601..2523b191c3a 100644
--- a/packages/adapter-nextjs/src/auth/utils/getRedirectOrDefault.ts
+++ b/packages/adapter-nextjs/src/auth/utils/getRedirectOrDefault.ts
@@ -2,4 +2,4 @@
 // SPDX-License-Identifier: Apache-2.0
 
 export const getRedirectOrDefault = (redirect: string | undefined): string =>
-	redirect || '/';
+	redirect?.startsWith('/') && !redirect.startsWith('//') ? redirect : '/';