PT-2026-50585 · Go · Github.Com/Go-Gitea/Gitea
Published
2026-06-17
·
Updated
2026-06-17
·
CVE-2026-25779
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
Details
Despite the validation within
urlIsRelative in modules/httplib/url.go, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect to" parameter.PoC
When a user uses this URL to login:
https://gitea.com/user/login?redirect to=/a/../example.comThey would be redirected to
example.com upon a successful login to their gitea account.Impact
- Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
- OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
- Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
- Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Go-Gitea/Gitea