GHSA-5wvv-q5fv-2388: 
Rust vulnerability analysis and mitigation

A moderate severity vulnerability was discovered in hyper-staticfile, identified as GHSA-5wvv-q5fv-2388, affecting versions < 0.9.4 and >= 0.10.0-alpha.1, < 0.10.0-alpha.5. The vulnerability was published on December 30, 2022, and last updated on January 7, 2023. The issue involves the Location header incorporating user input during directory request redirects, potentially allowing open redirect attacks (GitHub Advisory, RustSec Advisory).

When hyper-staticfile performs a redirect for a directory request (e.g., a request for /dir that redirects to /dir/), the Location header value was derived directly from user input (the request path) by simply appending a slash. While the intended behavior was to perform an origin-relative redirect, certain inputs could trigger a scheme-relative redirect instead. The vulnerability is categorized under CWE-601 and has been assigned a Moderate severity rating (GitHub Advisory).

An attacker could exploit this vulnerability by crafting a special URL that appears legitimate but redirects to a malicious domain. This technique could be particularly effective in phishing attacks, where attackers could distribute seemingly innocent links through email that redirect users to malicious sites (RustSec Advisory).

The vulnerability has been patched in versions 0.9.4 and 0.10.0-alpha.5. The fix involves using a sanitized path for redirects instead of directly using user input, preventing scheme-relative redirects. The patch ensures that the redirect path is properly constructed by appending each component separately and maintaining proper path sanitization (GitHub Advisory).