GHSA-vhj5-x93p-67jw: Host Header Poisoning and Open Redirect in actix-web-lab
Vulnerability ID: GHSA-VHJ5-X93P-67JW
CVSS Score: 6.1
Published: 2026-03-11
The actix-web-lab crate prior to version 0.26.0 contains a host header poisoning vulnerability in its redirect middleware components. Attackers can manipulate the incoming HTTP Host header or forwarding headers to dictate the Location header in the application's redirect responses. This mechanism results in an Open Redirect vulnerability, allowing attackers to route users to arbitrary, untrusted domains.
TL;DR
actix-web-lab middleware uses unvalidated Host headers for HTTP redirects, enabling Open Redirect attacks. Version 0.26.0 introduces an allowlist mechanism that must be explicitly configured by developers to secure the application.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-601
- CWE Name: Open Redirect
- CVSS Score: 6.1 (Medium)
- Attack Vector: Network
- Authentication: None
- User Interaction: Required
- Exploit Status: Proof-of-Concept
- CISA KEV: Not Listed
Affected Systems
- actix-web-lab
-
actix-web-lab: < 0.26.0 (Fixed in:
0.26.0)
Code Analysis
Commit: 142c28b
feat: add optional allowlist to redirect middleware
Mitigation Strategies
- Upgrade dependency version
- Configure explicit middleware allowlists
- Enforce reverse proxy header validation
Remediation Steps:
- Update actix-web-lab in Cargo.toml to version 0.26.0 or higher.
- Locate all instances of RedirectHttps, RedirectToWww, and RedirectToNonWww in the application routing configuration.
- Append the
.allow_hosts([])method to each middleware instance, passing an array of legitimate domains the application serves. - Configure upstream load balancers or proxies to overwrite or strip untrusted X-Forwarded-Host headers.
References
- GHSA-vhj5-x93p-67JW Advisory
- Fix Commit 142c28b82eb59b67445a859a2a9b75e01a9964ee
- Fix Pull Request #292
Read the full report for GHSA-VHJ5-X93P-67JW on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)