CVE-2021-32721: 
vulnerability analysis and mitigation

PowerMux, a drop-in replacement for Go's http.ServeMux, was found to contain a URL Redirection vulnerability (CVE-2021-32721) in versions prior to 1.1.1. The vulnerability was disclosed on June 28, 2021, affecting the core functionality of the package's trailing slash redirection feature (GitHub Advisory).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) with a moderate severity rating. The issue stems from improper validation in the trailing slash redirection feature, which could be exploited through specially crafted URLs containing pairs of forward slashes in sequence combined with a trailing slash (e.g., https://example.com//foo/) (GitHub Advisory).

Successful exploitation of this vulnerability could allow attackers to craft phishing links and perform open redirects, potentially leading users to be redirected to untrusted sites after following an attacker-crafted link (GitHub Advisory).

The vulnerability has been patched in version 1.1.1 of PowerMux. No workarounds exist for unpatched versions, but organizations can detect exploitation attempts by monitoring for request paths containing pairs of forward slashes in sequence combined with a trailing slash (GitHub Advisory).