The next query parameter is assigned directly to location with no allowlist, so ?next=https://evil… bounces the victim off-site. (The server-side twin is /api/redirect.)
Trigger: /redirect/?next=https://evil.vuln-lab.test
Detected by: browser_cdp_js_redirection_trace, browser_cdp_open_redirect_test