Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🦀 crates.io

GHSA-vhj5-x93p-67jw

MEDIUM

actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects

Published
Mar 11, 2026
Updated
Mar 15, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

Blast Radius

1 pkg affected
🦀actix-web-lab

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.

Description

Summary

actix-web-lab redirect middleware uses request-derived host information to construct absolute redirect URLs (for example, https://{hostname}{path}). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the Location response header, causing open redirect/phishing behavior.

CVE

Assigned CVE ID: CVE-2025-63762

Details

The issue is in redirect middleware paths that construct absolute URLs from req.connection_info():

  1. actix-web-lab/src/redirect_to_https.rs (around lines 119-132)

    • let host = conn_info.host();
    • format!("https://{hostname}{path}")
    • format!("https://{hostname}:{port}{path}")

  2. actix-web-lab/src/redirect_to_www.rs (around lines 30-35)

    • format!("{scheme}://www.{host}{path}")

  3. actix-web-lab/src/redirect_to_non_www.rs (around lines 30-34)

    • format!("{scheme}://{host_no_www}{path}")

Because host values come from request connection metadata, untrusted Host input can influence redirect targets when deployment-side host validation is missing.

PoC

Environment used for validation:

  • Local minimal Actix apps using actix-web-lab middleware
  • RedirectHttps: http://127.0.0.1:18080
  • redirect_to_www: http://127.0.0.1:18081
  • redirect_to_non_www: http://127.0.0.1:18082

Reproduction (RedirectHttps):

curl.exe -i -s "http://127.0.0.1:18080/test" -H "Host: attacker.example"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: https://attacker.example/test

Additional verification:

curl.exe -i -s "http://127.0.0.1:18080/abc/def" -H "Host: evil.example:9999"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: https://evil.example/abc/def

Reproduction (redirect_to_www):

curl.exe -i -s "http://127.0.0.1:18081/hello" -H "Host: attacker.example"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: http://www.attacker.example/hello

Reproduction (redirect_to_non_www):

curl.exe -i -s "http://127.0.0.1:18082/path" -H "Host: www.attacker.example"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: http://attacker.example/path

Impact

This is a Host header poisoning / open redirect issue. Users can be redirected to attacker-controlled domains, enabling phishing and trust-boundary abuse. Any application using these middleware paths without strict host validation (proxy/app allowlisting) is impacted.

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🦀crates.ioactix-web-laball versions0.26.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for actix-web-lab. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update actix-web-lab to 0.26.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-vhj5-x93p-67jw is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-vhj5-x93p-67jw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-vhj5-x93p-67jw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary `actix-web-lab` redirect middleware uses request-derived host information to construct absolute redirect URLs (for example, `https://{hostname}{path}`). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the `Location` response header, causing open redirect/phishing behavior. ### CVE Assigned CVE ID: CVE-2025-63762 ### Details The issue is in redirect middleware paths that construct absolute URLs from `req.connection_info()`: 1. `actix-web-lab/src/redirect_to_https.rs` (around lines 119-132) - `let host = conn_info.host
O3 Security · Impact-Aware SCA

Is GHSA-vhj5-x93p-67jw in your dependencies?

O3 detects GHSA-vhj5-x93p-67jw across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works