CVE-2025-64481 — Open redirect endpoint in Datasette

Description

Datasette is an open source multi-tool for exploring and publishing data. In versions 0.65.1 and below and 1.0a0 through 1.0a19, deployed instances of Datasette include an open redirect vulnerability. Hits to the path //example.com/foo/bar/ (the trailing slash is required) will redirect the user to https://example.com/foo/bar. This problem has been patched in both Datasette 0.65.2 and 1.0a21. To workaround this issue, if Datasette is running behind a proxy, that proxy could be configured to replace // with / in incoming request URLs.

How to fix CVE-2025-64481

To remediate CVE-2025-64481, upgrade the affected package to a fixed version below.

—upgrade to 0.65.2 or later
—no fix listed

Is CVE-2025-64481 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.65.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-64481
PATCHgithub.com/simonw/datasette
WEBgithub.com/pypa/advisory-database/tree/main/vulns/datasette/PYSEC-2025-73.yaml
WEBgithub.com/simonw/datasette/commit/f257ca6edb64848c3b04b54d41e347c54fe57c05