GHSA-vrw8-fxc6-2r93: 
vulnerability analysis and mitigation

The RedirectSlashes function in middleware/strip.go of the go-chi/chi package (versions <= 5.2.1) contains a host header injection vulnerability that leads to open redirect (GHSA-vrw8-fxc6-2r93). This moderate severity vulnerability was discovered and reported by Anuraag Baishya, and was published on June 20, 2025. The issue affects the Go module github.com/go-chi/chi/v5 and has been patched in version 5.2.2 (GitHub Advisory).

The vulnerability stems from the RedirectSlashes method using the Host header to construct the redirectURL, allowing attackers to manipulate the Host header to any arbitrary host. The vulnerability has a CVSS v4 score of 5.1 (Moderate) with the following metrics: Network attack vector, Low attack complexity, No attack requirements, No privileges required, and Active user interaction. The vulnerability is tracked as CWE-601 and requires the manipulation of the Host header for exploitation (GitHub Advisory).

The open redirect vulnerability enables attackers to redirect users to malicious websites. While considered lower-severity as it cannot be exploited directly from browsers or email clients (requiring Host header manipulation), it can still facilitate phishing attacks, credential theft, and malware distribution. The vulnerability is particularly concerning because users may trust the application's domain while being redirected to harmful sites (GitHub Advisory).

The recommended mitigation is to use r.RequestURI instead of r.Host by default, as the RedirectSlashes function is primarily intended for redirects within the same application. For cases requiring redirection to different hosts, a flag can be added to explicitly enable Host header usage, allowing developers to make informed decisions about allowing redirects to arbitrary hosts. The vulnerability has been patched in version 5.2.2 (GitHub Advisory, Chi Commit).