GHSA-mqqf-5wvp-8fh8
MEDIUMchi has an open redirect vulnerability in the RedirectSlashes middleware
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/go-chi/chi/v5Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The RedirectSlashes function in middleware/strip.go does not perform correct input validation and can lead to an open redirect vulnerability.
Details
The RedirectSlashes function performs a Trim to all forward slash (/) characters, while prepending a single one at the begining of the path (Line 52).
However, it does not trim backslashes (\).
File: middleware/strip.go
41: func RedirectSlashes(next http.Handler) http.Handler {
...
51: // Trim all leading and trailing slashes (e.g., "//evil.com", "/some/path//")
52: path = "/" + strings.Trim(path, "/")
...
62: }
Also, from version 5.2.2 onwards the RedirectSlashes function does not take into consideration the Host Header in the redirect response returned. This was done in order to combat another [vulnerability](https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93).
The above make it possible for a response in the following form:
HTTP/1.1 301 Moved Permanently
Location: /\evil.com
The /\evil.com will be transformed by most browsers (Chrome, Firefox, etc. not Safari) into //evil.com which is a protocol relative URL and will result in a redirect to evil.com, essentially making it an open redirect vulnerability.
PoC
A minimal working example can be seen below.
package main
import (
"fmt"
"net/http"
"github.com/go-chi/chi/v5"
"github.com/go-chi/chi/v5/middleware"
)
func main() {
r := chi.NewRouter()
r.Use(middleware.RedirectSlashes)
r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
fmt.Println("Server starting on port 8081...")
if err := http.ListenAndServe(":8081", r); err != nil {
fmt.Printf("Error starting server: %v\n", err)
}
}
And when we request the path /\evil.com (needs a second backslash or URL encoding in the terminal), the HTTP Redirect Location is just /\evil.com without any domain/Host information.
$ curl -I localhost:8081/\\evil.com/
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: /\evil.com
$ curl -I localhost:8081/%5Cevil.com/
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: /\evil.com
This opened in a browser (Chrome, Firefox) will result in a transformation to //evil.com which in turn will result in a redirect to evil.com.
<img width="200" alt="image-20250829115619807" src="https://github.com/user-attachments/assets/44aedad1-64b6-4660-8b26-fad9b4eca036" />
Impact
This essentially consists of an open redirect vulnerability, provided that victim users use the most popular browsers (Chrome, Firefox, etc. It does not work in e.g. Safari).
The attacker can construct a malicious URL on a domain of a legitimate website and send it to the victim user. The victim users thinking that they will click on a legitimate website's URL, they will unknowingly be reidrected to an attacker controlled website.
This can lead to credential theft if the victim gets redirected to a phishing website, to malware that is hosted on the attacker controlled website etc. Also, it has a greate reputation / business impact for the affected legitimate website.
In order to exploit this vulnerability the attacker does not need to be authenticated or have ay other priviledge / knowledge regarding the affected application.
CVSS Score: 4.7 (Medium)
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/go-chi/chi/v5 | ≥ 5.2.2&&< 5.2.4 | 5.2.4 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/go-chi/chi/v5. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/go-chi/chi/v5 to 5.2.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-mqqf-5wvp-8fh8 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-mqqf-5wvp-8fh8 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-mqqf-5wvp-8fh8. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-mqqf-5wvp-8fh8 in your dependencies?
O3 detects GHSA-mqqf-5wvp-8fh8 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.