GHSA-MQQF-5WVP-8FH8: Slashing Through the Safety Nets: The go-chi Open Redirect

Slashing Through the Safety Nets: The go-chi Open Redirect

Vulnerability ID: GHSA-MQQF-5WVP-8FH8
CVSS Score: 4.7
Published: 2026-01-14

A logic error in the popular Go router 'chi' middleware allows attackers to bypass open redirect protections using backslashes.

TL;DR

The RedirectSlashes middleware in go-chi/chi attempted to clean up URLs by removing trailing slashes but failed to account for backslashes. By sending a request like / arget.com/, attackers can trick the server into issuing a redirect to / arget.com. Most modern browsers interpret this as a protocol-relative URL (//target.com), redirecting the victim to an external malicious domain.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-601
• Attack Vector: Network (AV:N)
• CVSS Score: 4.7 (Medium)
• Complexity: Low (AC:L)
• Privileges: None (PR:N)
• User Interaction: Required (UI:R)
• Patch Status: Available

Affected Systems

• Go applications using chi router
• Services utilizing middleware.RedirectSlashes
• Web applications exposed to public traffic
• github.com/go-chi/chi: >= 5.2.2, < 5.2.3 (Fixed in: v5.2.3)

Code Analysis

Commit: 6eb3588

middleware: fix RedirectSlashes to normalize backslashes

path = strings.ReplaceAll(path, `\`, `/`)

Exploit Details

• Manual: curl -I localhost:8080/%5Cevil.com/

Mitigation Strategies

• Input Normalization (replace backslashes with forward slashes)
• Strict Path Validation
• WAF Filtering of encoded backslashes (%5C)

Remediation Steps:

1. Identify services using middleware.RedirectSlashes.
2. Update go.mod to require the patched version of go-chi.
3. Run go mod tidy and go mod vendor.
4. Rebuild and deploy the service.

References

• GHSA Advisory
• Chi Router Repository

---

Read the full report for GHSA-MQQF-5WVP-8FH8 on our website for more details including interactive diagrams and full exploit analysis.