GHSA-vrw8-fxc6-2r93: chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes

June 20, 2025 (updated October 13, 2025)

The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

We consider this a lower-severity open redirect, as it can’t be exploited from browsers or email clients (requires manipulation of a Host header).

References

github.com/advisories/GHSA-vrw8-fxc6-2r93
github.com/go-chi/chi
github.com/go-chi/chi/commit/1be7ad938cc9c5b39a9dea01a5c518848928ab65
github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93

Code Behaviors & Features

Detect and mitigate GHSA-vrw8-fxc6-2r93 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →