There is an open redirection vulnerability that allows an attacker to redirect anyone to malicious sites.
Go to this URL: $URL
As you can see it redirects to https://www.evil.com
Attackers can serve malicious websites that steal passwords or download ransomware to their victims machine due to a redirect and there are a heap of other attack vectors. They can also use the URL to trick users into revealing their public IP address.
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html https://hackerone.com/reports/692154