diff --git a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
index e5ccf6cf9d..620610f681 100644
--- a/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
+++ b/web/src/main/java/org/springframework/security/web/savedrequest/DefaultSavedRequest.java
@@ -38,6 +38,7 @@ import org.springframework.security.web.PortResolver;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
+import org.springframework.web.util.UriComponentsBuilder;
 
 /**
  * Represents central information from a {@code HttpServletRequest}.
@@ -372,10 +373,8 @@ public class DefaultSavedRequest implements SavedRequest {
 		if (queryString == null || queryString.length() == 0) {
 			return matchingRequestParameterName;
 		}
-		if (queryString.endsWith("&")) {
-			return queryString + matchingRequestParameterName;
-		}
-		return queryString + "&" + matchingRequestParameterName;
+		return UriComponentsBuilder.newInstance().query(queryString).replaceQueryParam(matchingRequestParameterName)
+				.queryParam(matchingRequestParameterName).build().getQuery();
 	}
 
 	/**
diff --git a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
index 4bec0f1296..f010a6521d 100644
--- a/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
+++ b/web/src/test/java/org/springframework/security/web/savedrequest/DefaultSavedRequestTests.java
@@ -122,4 +122,14 @@ public class DefaultSavedRequestTests {
 		assertThat(new URL(savedRequest.getRedirectUrl())).hasQuery("foo=bar&success");
 	}
 
+	// gh-13438
+	@Test
+	public void getRedirectUrlWhenQueryAlreadyHasSuccessThenDoesNotAdd() throws Exception {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		request.setQueryString("foo=bar&success");
+		DefaultSavedRequest savedRequest = new DefaultSavedRequest(request, new MockPortResolver(8080, 8443),
+				"success");
+		assertThat(savedRequest.getRedirectUrl()).contains("foo=bar&success");
+	}
+
 }