This application has an open redirect vulnerability. The /redirect endpoint accepts a url parameter and redirects to it without validation.
/redirect
url
The redirect endpoint accepts a URL parameter:
GET /redirect?url=<destination>