A hostile party could impersonate the client site and get access to the authorization 'code'. This could be achieved using DNS or ARP spoofing. This applies to clients, which are web applications; thus, the redirect URI is not local to the host where the user's browser is running.
OAuth 2.0 Threat Model and Security Considerations (RFC6819, section 18.104.22.168)
This threat is considered fully mitigated if all the test cases from the following test set succeed.
Back to the threat overview