Gitea: Open Redirect via redirect_to
- When
- Where
- Global (internet)
- Category
- cyber_advisory · go
### Details Despite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter. ### PoC When a user uses this URL to login: `https://gitea.com/user/login?redirect_to=/a/../\example.com` They would be redirected to `example.com` upon a successful login to their gitea account. ### Impact * Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages * OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect * Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header * Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-17 18:10 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.
No correlated events found in the current window. As more events arrive, connections form automatically.