<style>p { margin: 0 0 10px; }h1, h2, h3 { margin: 20px 0 10px; }h4, h5, h6 { margin: 10px 0 10px; }</style><h3 id="general-information">General Information</h3> <p>This article contains frequently asked questions relating to the open redirect vulnerability affecting Halo versions up to 2.174.101 and all versions between 2.175.1 and 2.184.21.</p> <p>A malformed link could allow the incorrect parsing of the returnurl parameter. If the user were to access this link, login to their account and then click on the incorrect returnurl link, the users tokens can be leaked.</p> <h3 id="are-hosted-halo-instances-affected">Are hosted Halo instances affected?</h3> <p>Hosted customers have been automatically updated to a patch to resolve this issue, and therefore no action is required by hosted customers. The patch was released on 2025-03-12 and hosted customers would have been upgraded shortly afterwards.</p> <h3 id="are-on-prem-halo-instances-affected">Are On-Prem Halo instances affected?</h3> <p>Halo On-Prem installations should apply the latest stable or beta patch to their Halo instance to resolve this issue.</p> <ul> <li>Any patch &gt;= 2.174.101.</li> <li>Any version &gt;= 2.184.21.</li> </ul> <h3 id="next-steps">Next Steps</h3> <p>No action is required on the part of our customers.</p> <p>We will continue to monitor our business infrastructure to ensure the same level of service and security that you expect.</p> <h3 id="cve-reference">CVE Reference</h3> <p>CVE-2025-40846</p>