PT-2026-50585 · Go · Github.Com/Go-Gitea/Gitea
Publicado
2026-06-17
·
Atualizado
2026-06-17
·
CVE-2026-25779
CVSS v4.0
5.1
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Details
Despite the validation within
urlIsRelative in modules/httplib/url.go, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect to" parameter.PoC
When a user uses this URL to login:
https://gitea.com/user/login?redirect to=/a/../example.comThey would be redirected to
example.com upon a successful login to their gitea account.Impact
- Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
- OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
- Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
- Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users
Correção
Open Redirect
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Github.Com/Go-Gitea/Gitea