GHSA-j5r2-4c8j-xc3mMedium

Gitea: Open Redirect via redirect_to

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Details

Despite the validation within urlIsRelative in modules/httplib/url.go, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter.

PoC

When a user uses this URL to login:

https://gitea.com/user/login?redirect_to=/a/../\example.com

They would be redirected to example.com upon a successful login to their gitea account.

Impact

  • Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
  • OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
  • Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
  • Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users

🎯 Affected products1

  • go/github.com/go-gitea/gitea:<= 1.25.4

🔗 References (2)