chi has an open redirect vulnerability in the RedirectSlashes middleware
The RedirectSlashes function in middleware/strip.go does not perform correct input validation and can lead to an open redirect vulnerability.
Advisories for Golang/Github.com/Go-Chi/Chi package
2026
2025
chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes
The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect. We consider this a lower-severity open redirect, as it can't be exploited from browsers or email clients (requires manipulation of a Host header).