The loginRedirect cookie value was used directly in res.redirect() and window.location.replace() without validation, allowing redirection to arbitrary external URLs. Added validation to ensure the redirect target is a relative path before use.