diff --git a/typo3/sysext/felogin/Classes/Controller/PasswordRecoveryController.php b/typo3/sysext/felogin/Classes/Controller/PasswordRecoveryController.php
index e145f456768699370703a88a263a6267ce2d13fc..123c70dcbd2841bc2a13ccb2a95403986d2fb2ca 100644
--- a/typo3/sysext/felogin/Classes/Controller/PasswordRecoveryController.php
+++ b/typo3/sysext/felogin/Classes/Controller/PasswordRecoveryController.php
@@ -108,6 +108,7 @@ class PasswordRecoveryController extends AbstractLoginFormController
     protected function validateIfHashHasExpired(): void
     {
         $hash = $this->request->hasArgument('hash') ? $this->request->getArgument('hash') : '';
+        $hash = is_string($hash) ? $hash : '';
 
         if (!$this->hasValidHash($hash)) {
             $this->redirect('recovery', 'PasswordRecovery', 'felogin');
@@ -288,7 +289,7 @@ class PasswordRecoveryController extends AbstractLoginFormController
             $hashedPassword = $event->getHashedPassword();
             if ($event->isPropagationStopped()) {
                 $requestResult = $this->request->getOriginalRequestMappingResults();
-                $requestResult->addError(new Error($event->getErrorMessage(), 1562846833));
+                $requestResult->addError(new Error($event->getErrorMessage() ?? '', 1562846833));
                 $this->request->setOriginalRequestMappingResults($requestResult);
 
                 $this->forward(
diff --git a/typo3/sysext/felogin/Classes/Redirect/RedirectHandler.php b/typo3/sysext/felogin/Classes/Redirect/RedirectHandler.php
index fc51cc170cb4fec84650adb281c2e007e6782210..035691f0781e119c8c7a1fb611f593edb210043b 100644
--- a/typo3/sysext/felogin/Classes/Redirect/RedirectHandler.php
+++ b/typo3/sysext/felogin/Classes/Redirect/RedirectHandler.php
@@ -158,7 +158,9 @@ class RedirectHandler
         }
 
         // Remove empty values, but keep "0" as value (that's why "strlen" is used as second parameter)
-        $redirectUrlList = array_filter($redirectUrlList, 'strlen');
+        $redirectUrlList = array_filter($redirectUrlList, static function (string $value): bool {
+            return strlen($value) > 0;
+        });
 
         return $redirectFirstMethod
             ? array_shift($redirectUrlList)
diff --git a/typo3/sysext/felogin/Classes/Validation/RedirectUrlValidator.php b/typo3/sysext/felogin/Classes/Validation/RedirectUrlValidator.php
index 1e548c72c659bf46c6d74290aa7eae59dd4498f8..900f9af17e346e27833a38a25002e7e615d14c47 100644
--- a/typo3/sysext/felogin/Classes/Validation/RedirectUrlValidator.php
+++ b/typo3/sysext/felogin/Classes/Validation/RedirectUrlValidator.php
@@ -82,8 +82,8 @@ class RedirectUrlValidator implements LoggerAwareInterface
      */
     protected function isInCurrentDomain(string $url): bool
     {
-        $urlWithoutSchema = preg_replace('#^https?://#', '', $url);
-        $siteUrlWithoutSchema = preg_replace('#^https?://#', '', GeneralUtility::getIndpEnv('TYPO3_SITE_URL'));
+        $urlWithoutSchema = preg_replace('#^https?://#', '', $url) ?? '';
+        $siteUrlWithoutSchema = preg_replace('#^https?://#', '', GeneralUtility::getIndpEnv('TYPO3_SITE_URL')) ?? '';
         return strpos($urlWithoutSchema . '/', GeneralUtility::getIndpEnv('HTTP_HOST') . '/') === 0
             && strpos($urlWithoutSchema, $siteUrlWithoutSchema) === 0;
     }