GHSA-vrw8-fxc6-2r93

Suggest an improvement
Source
https://github.com/advisories/GHSA-vrw8-fxc6-2r93
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-vrw8-fxc6-2r93/GHSA-vrw8-fxc6-2r93.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vrw8-fxc6-2r93
Related
Published
2025-06-20T16:37:47Z
Modified
2025-06-20T16:37:47Z
Downstream
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes
Details

Summary

The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

Details

The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/v5.2.1/middleware/strip.go#L55

The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware

PoC

Create a simple server which uses the RedirectSlashes middleware

package main

import (
    "fmt"
    "net/http"

    "github.com/go-chi/chi/v5"
    "github.com/go-chi/chi/v5/middleware" // Import the middleware package
)

func main() {
    // Create a new Chi router
    r := chi.NewRouter()

    // Use the built-in RedirectSlashes middleware
    r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes

    // Define a route handler
    r.Get("/", func(w http.ResponseWriter, r *http.Request) {
        // A simple response
        w.Write([]byte("Hello, World!"))
    })

    // Start the server
    fmt.Println("Starting server on :8080")
    http.ListenAndServe(":8080", r)
}

Run the server go run main.go

Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header curl -iL -H "Host: example.com" http://localhost:8080/test/

Observe that the request will be redirected to example.com

curl -L -H "Host: example.com" http://localhost:8080/test/

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
... snipped ...

Without the host header, the response is returned from the test server

curl -L http://localhost:8080/test/

404 page not found

Impact

An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.

Potential mitigation

It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.

Database specific 
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-601"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-20T16:37:47Z"
}
References

Affected packages

Go / github.com/go-chi/chi/v5

Package

Name
github.com/go-chi/chi/v5
View open source insights on deps.dev
Purl
pkg:golang/github.com/go-chi/chi/v5

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.2.2

Database specific 

{
    "last_known_affected_version_range": "<= 5.2.1"
}