diff --git a/client-app/core/utilities/common/index.test.ts b/client-app/core/utilities/common/index.test.ts
index ad8da1598..ba6107d88 100644
--- a/client-app/core/utilities/common/index.test.ts
+++ b/client-app/core/utilities/common/index.test.ts
@@ -104,6 +104,18 @@ describe("getReturnUrlValue", () => {
     const result = getReturnUrlValue();
     expect(result).toBeNull();
   });
+
+  it("should return null when returnUrl points to a different hostname", () => {
+    Object.defineProperty(window, "location", {
+      configurable: true,
+      value: {
+        href: "http://example.com?returnUrl=http://malicious.com/home",
+      },
+    });
+
+    const result = getReturnUrlValue();
+    expect(result).toBeNull();
+  });
 });
 
 describe("extractHostname", () => {
diff --git a/client-app/core/utilities/common/index.ts b/client-app/core/utilities/common/index.ts
index 48c0c1034..6e5fa8feb 100644
--- a/client-app/core/utilities/common/index.ts
+++ b/client-app/core/utilities/common/index.ts
@@ -7,8 +7,16 @@ export function getBaseUrl(supportedLocales: string[]): string {
 }
 
 export function getReturnUrlValue(): string | null {
-  const { searchParams } = new URL(location.href);
-  return searchParams.get("returnUrl") || searchParams.get("ReturnUrl");
+  const { searchParams, origin, hostname } = new URL(location.href);
+  const returnUrl = searchParams.get("returnUrl") || searchParams.get("ReturnUrl");
+
+  if (returnUrl) {
+    const returnUrlObj = new URL(returnUrl, origin);
+    if (returnUrlObj.hostname === hostname) {
+      return returnUrl;
+    }
+  }
+  return null;
 }
 
 export function extractHostname(url: string) {