GHSA-VRW8-FXC6-2R93
Vulnerability from github – Published: 2025-06-20 16:37 – Updated: 2025-10-13 15:41Summary
The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.
We consider this a lower-severity open redirect, as it can't be exploited from browsers or email clients (requires manipulation of a Host header).
Details
The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/master/middleware/strip.go#L55
The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware
PoC
Create a simple server which uses the RedirectSlashes middleware
package main
import (
"fmt"
"net/http"
"github.com/go-chi/chi/v5"
"github.com/go-chi/chi/v5/middleware" // Import the middleware package
)
func main() {
// Create a new Chi router
r := chi.NewRouter()
// Use the built-in RedirectSlashes middleware
r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes
// Define a route handler
r.Get("/", func(w http.ResponseWriter, r *http.Request) {
// A simple response
w.Write([]byte("Hello, World!"))
})
// Start the server
fmt.Println("Starting server on :8080")
http.ListenAndServe(":8080", r)
}
Run the server go run main.go
Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header
curl -iL -H "Host: example.com" http://localhost:8080/test/
Observe that the request will be redirected to example.com
curl -L -H "Host: example.com" http://localhost:8080/test/
<!doctype html>
<html>
<head>
<title>Example Domain</title>
<meta charset="utf-8" />
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<style type="text/css">
body {
background-color: #f0f0f2;
margin: 0;
padding: 0;
font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
... snipped ...
Without the host header, the response is returned from the test server
curl -L http://localhost:8080/test/
404 page not found
Impact
An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.
Potential mitigation
It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 5.2.1"
},
"package": {
"ecosystem": "Go",
"name": "github.com/go-chi/chi/v5"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-06-20T16:37:47Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.\n\nWe consider this a **lower-severity** open redirect, as it can\u0027t be exploited from browsers or email clients (requires manipulation of a Host header).\n\n### Details\nThe RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/master/middleware/strip.go#L55\n\nThe Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware\n\n### PoC\nCreate a simple server which uses the RedirectSlashes middleware\n```\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/go-chi/chi/v5\"\n\t\"github.com/go-chi/chi/v5/middleware\" // Import the middleware package\n)\n\nfunc main() {\n\t// Create a new Chi router\n\tr := chi.NewRouter()\n\n\t// Use the built-in RedirectSlashes middleware\n\tr.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes\n\n\t// Define a route handler\n\tr.Get(\"/\", func(w http.ResponseWriter, r *http.Request) {\n\t\t// A simple response\n\t\tw.Write([]byte(\"Hello, World!\"))\n\t})\n\n\t// Start the server\n\tfmt.Println(\"Starting server on :8080\")\n\thttp.ListenAndServe(\":8080\", r)\n}\n```\nRun the server `go run main.go`\n\nOnce the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header\n`curl -iL -H \"Host: example.com\" http://localhost:8080/test/`\n\nObserve that the request will be redirected to example.com\n\n```\ncurl -L -H \"Host: example.com\" http://localhost:8080/test/\n\n\u003c!doctype html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n \u003ctitle\u003eExample Domain\u003c/title\u003e\n\n \u003cmeta charset=\"utf-8\" /\u003e\n \u003cmeta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\" /\u003e\n \u003cmeta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /\u003e\n \u003cstyle type=\"text/css\"\u003e\n body {\n background-color: #f0f0f2;\n margin: 0;\n padding: 0;\n font-family: -apple-system, system-ui, BlinkMacSystemFont, \"Segoe UI\", \"Open Sans\", \"Helvetica Neue\", Helvetica, Arial, sans-serif;\n... snipped ...\n```\nWithout the host header, the response is returned from the test server\n```\ncurl -L http://localhost:8080/test/\n\n404 page not found\n```\n\n### Impact\nAn open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application\u2019s domain while being redirected to harmful sites.\n\n### Potential mitigation\nIt seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.",
"id": "GHSA-vrw8-fxc6-2r93",
"modified": "2025-10-13T15:41:17Z",
"published": "2025-06-20T16:37:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93"
},
{
"type": "WEB",
"url": "https://github.com/go-chi/chi/commit/1be7ad938cc9c5b39a9dea01a5c518848928ab65"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-chi/chi"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.