fix(deps): update module github.com/go-chi/chi/v5 to v5.2.2 [security]

[renovate-sh-app]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-chi/chi/v5	v5.1.0 -> v5.2.2

GitHub Vulnerability Alerts

GHSA-vrw8-fxc6-2r93

Summary

The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

Details

The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/v5.2.1/middleware/strip.go#L55

The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware

PoC

Create a simple server which uses the RedirectSlashes middleware

package main

import (
	"fmt"
	"net/http"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware" // Import the middleware package
)

func main() {
	// Create a new Chi router
	r := chi.NewRouter()

	// Use the built-in RedirectSlashes middleware
	r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes

	// Define a route handler
	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
		// A simple response
		w.Write([]byte("Hello, World!"))
	})

	// Start the server
	fmt.Println("Starting server on :8080")
	http.ListenAndServe(":8080", r)
}

Run the server go run main.go

Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header
curl -iL -H "Host: example.com" http://localhost:8080/test/

Observe that the request will be redirected to example.com

curl -L -H "Host: example.com" http://localhost:8080/test/

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
... snipped ...

Without the host header, the response is returned from the test server

curl -L http://localhost:8080/test/

404 page not found

Impact

An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.

Potential mitigation

It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.

---

Host Header Injection which Leads to Open Redirect in RedirectSlashes in github.com/go-chi/chi

GHSA-vrw8-fxc6-2r93 / GO-2025-3770

More information

Details

Host Header Injection which Leads to Open Redirect in RedirectSlashes in github.com/go-chi/chi

Severity

Unknown

References

• https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93
• https://github.com/go-chi/chi/commit/1be7ad938cc9c5b39a9dea01a5c518848928ab65

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

---

chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes

GHSA-vrw8-fxc6-2r93 / GO-2025-3770

More information

Details

Summary

The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

Details

The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/v5.2.1/middleware/strip.go#L55

The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware

PoC

Create a simple server which uses the RedirectSlashes middleware

package main

import (
	"fmt"
	"net/http"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware" // Import the middleware package
)

func main() {
	// Create a new Chi router
	r := chi.NewRouter()

	// Use the built-in RedirectSlashes middleware
	r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes

	// Define a route handler
	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
		// A simple response
		w.Write([]byte("Hello, World!"))
	})

	// Start the server
	fmt.Println("Starting server on :8080")
	http.ListenAndServe(":8080", r)
}

Run the server go run main.go

Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header
curl -iL -H "Host: example.com" http://localhost:8080/test/

Observe that the request will be redirected to example.com

curl -L -H "Host: example.com" http://localhost:8080/test/

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
... snipped ...

Without the host header, the response is returned from the test server

curl -L http://localhost:8080/test/

404 page not found

Impact

An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.

Potential mitigation

It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

• https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93
• https://github.com/go-chi/chi/commit/1be7ad938cc9c5b39a9dea01a5c518848928ab65
• https://github.com/go-chi/chi

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

go-chi/chi (github.com/go-chi/chi/v5)

v5.2.2

Compare Source

What's Changed

• Use strings.Cut in a few places by @​JRaspass in #​971
• Fix non-constant format strings in t.Fatalf by @​JRaspass in #​972
• Apply fieldalignment fixes to optimize struct memory layout by @​pixel365 in #​974
• go 1.24 by @​pkieltyka in #​977
• chore: delint ioutil usage by @​costela in #​962
• Fixed typo in Router interface definition by @​mithileshgupta12 in #​958
• Add support for TinyGo by @​efraimbart in #​978
• Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg by @​cxjava in #​982
• Make use of strings.Cut by @​scop in #​1005
• Change install command format to code block by @​sglkc in #​1001
• Correct documentation by @​mrdomino in #​992

Security fix

• Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
  • a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
  • reported by Anuraag Baishya, @​anuraagbaishya. Thank you!

New Contributors

• @​pixel365 made their first contribution in #​974
• @​mithileshgupta12 made their first contribution in #​958
• @​efraimbart made their first contribution in #​978
• @​cxjava made their first contribution in #​982
• @​sglkc made their first contribution in #​1001
• @​mrdomino made their first contribution in #​992

Full Changelog: go-chi/chi@v5.2.1...v5.2.2

v5.2.1

Compare Source

⚠️ Chi supports Go 1.20+

Starting this release, we will now support the four most recent major versions of Go. See https://github.com/go-chi/chi/issues/963 for related discussion.

What's Changed

• Support the four most recent major versions of Go by @​VojtechVitek in https://github.com/go-chi/chi/pull/969

Full Changelog: go-chi/chi@v5.2.0...v5.2.1

v5.2.0

Compare Source

What's Changed

• update credits section to link to goji license by @​pkieltyka in https://github.com/go-chi/chi/pull/944
• go 1.23 by @​pkieltyka in https://github.com/go-chi/chi/pull/945
• Make Context.RoutePattern() nil-safe by @​gaiaz-iusipov in https://github.com/go-chi/chi/pull/927
• govet: Fix non-constant format string by @​marcofranssen in https://github.com/go-chi/chi/pull/952
• Add Find to Routes interface by @​joeriddles in https://github.com/go-chi/chi/pull/872
• Fix grammar error by @​AntonC9018 in https://github.com/go-chi/chi/pull/917
• ~feat(): add CF-Connecting-IP by @​n33pm in https://github.com/go-chi/chi/pull/908~
  • ~Revert "feat(): add CF-Connecting-IP" by @​VojtechVitek in https://github.com/go-chi/chi/pull/966~
• Fixed incorrect comment about routing by @​jtams in https://github.com/go-chi/chi/pull/887
• Fix condition in TestRedirectSlashes by @​tchssk in https://github.com/go-chi/chi/pull/856
• middleware: Add strip prefix middleware by @​m1k1o in https://github.com/go-chi/chi/pull/875
• Set up go module for _examples/versions by @​hongkuancn in https://github.com/go-chi/chi/pull/948
• Ability to specify response HTTP status code for Throttle middleware by @​vasayxtx in https://github.com/go-chi/chi/pull/571
• Support Content-Type headers with charset/boundary parameters by @​GocaMaric in https://github.com/go-chi/chi/pull/880
• Fix Mux.Find not correctly handling nested routes by @​joeriddles in https://github.com/go-chi/chi/pull/954
• fix(WrapResponseWriter): allow multiple informational statuses by @​costela in https://github.com/go-chi/chi/pull/961

New Contributors

• @​gaiaz-iusipov made their first contribution in https://github.com/go-chi/chi/pull/927
• @​marcofranssen made their first contribution in https://github.com/go-chi/chi/pull/952
• @​joeriddles made their first contribution in https://github.com/go-chi/chi/pull/872
• @​AntonC9018 made their first contribution in https://github.com/go-chi/chi/pull/917
• @​n33pm made their first contribution in https://github.com/go-chi/chi/pull/908
• @​jtams made their first contribution in https://github.com/go-chi/chi/pull/887
• @​tchssk made their first contribution in https://github.com/go-chi/chi/pull/856
• @​m1k1o made their first contribution in https://github.com/go-chi/chi/pull/875
• @​hongkuancn made their first contribution in https://github.com/go-chi/chi/pull/948
• @​GocaMaric made their first contribution in https://github.com/go-chi/chi/pull/880
• @​costela made their first contribution in https://github.com/go-chi/chi/pull/961

Full Changelog: go-chi/chi@v5.1.0...v5.2.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.