Security researchers have identified a differential URL parsing bug in the Apache2 module mod_auth_openidc, which can lead to Open Redirect and Cross-Site Scripting vulnerabilities. The bug arises from the difference in how Apache2's internal URL parser and modern web browsers parse URLs, allowing attackers to trick users into redirecting to unintended hosts. The researchers patched the issue by adding a special case to replace any backslash with slashes, effectively preventing the parsing differential. They also demonstrated how to detect similar bugs using differential testing, which is an important step in identifying vulnerabilities in applications that use multiple parsers for the same specifications. By rejecting ambiguous input and refusing to parse it incorrectly, developers can ensure their applications are safer from such attacks.