diff --git a/surfsense_web/lib/auth-utils.ts b/surfsense_web/lib/auth-utils.ts
index c2a0d58a5..038f3fad3 100644
--- a/surfsense_web/lib/auth-utils.ts
+++ b/surfsense_web/lib/auth-utils.ts
@@ -70,9 +70,26 @@ export function getAndClearRedirectPath(): string | null {
 	if (redirectPath) {
 		localStorage.removeItem(REDIRECT_PATH_KEY);
 	}
+	if (redirectPath && !isValidRedirectPath(redirectPath)) {
+		return null;
+	}
 	return redirectPath;
 }
 
+/**
+ * Validates that a redirect path is a safe, relative URL on the same origin.
+ * Rejects absolute URLs, protocol-relative URLs, and scheme injections.
+ */
+function isValidRedirectPath(path: string): boolean {
+	if (!path.startsWith("/") || path.startsWith("//")) return false;
+	try {
+		const url = new URL(path, window.location.origin);
+		return url.origin === window.location.origin;
+	} catch {
+		return false;
+	}
+}
+
 /**
  * Gets the bearer token from localStorage
  */