Update module github.com/go-chi/chi/v5 to v5.2.2 [SECURITY] #198

renovate · 2025-06-20T17:29:21Z

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-chi/chi/v5	`v5.0.11` -> `v5.2.2`

GitHub Vulnerability Alerts

GHSA-vrw8-fxc6-2r93

Summary

The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

Details

The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/v5.2.1/middleware/strip.go#L55

The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware

PoC

Create a simple server which uses the RedirectSlashes middleware

package main

import (
	"fmt"
	"net/http"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware" // Import the middleware package
)

func main() {
	// Create a new Chi router
	r := chi.NewRouter()

	// Use the built-in RedirectSlashes middleware
	r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes

	// Define a route handler
	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
		// A simple response
		w.Write([]byte("Hello, World!"))
	})

	// Start the server
	fmt.Println("Starting server on :8080")
	http.ListenAndServe(":8080", r)
}

Run the server go run main.go

Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header
curl -iL -H "Host: example.com" http://localhost:8080/test/

Observe that the request will be redirected to example.com

curl -L -H "Host: example.com" http://localhost:8080/test/

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
... snipped ...

Without the host header, the response is returned from the test server

curl -L http://localhost:8080/test/

404 page not found

Impact

An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.

Potential mitigation

It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.

chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes

GHSA-vrw8-fxc6-2r93

More information

Details

Summary

The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

Details

The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/v5.2.1/middleware/strip.go#L55

The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware

PoC

Create a simple server which uses the RedirectSlashes middleware

package main

import (
	"fmt"
	"net/http"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware" // Import the middleware package
)

func main() {
	// Create a new Chi router
	r := chi.NewRouter()

	// Use the built-in RedirectSlashes middleware
	r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes

	// Define a route handler
	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
		// A simple response
		w.Write([]byte("Hello, World!"))
	})

	// Start the server
	fmt.Println("Starting server on :8080")
	http.ListenAndServe(":8080", r)
}

Run the server go run main.go

Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header
curl -iL -H "Host: example.com" http://localhost:8080/test/

Observe that the request will be redirected to example.com

curl -L -H "Host: example.com" http://localhost:8080/test/

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
... snipped ...

Without the host header, the response is returned from the test server

curl -L http://localhost:8080/test/

404 page not found

Impact

An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.

Potential mitigation

It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.

Severity

CVSS Score: Unknown
Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

go-chi/chi (github.com/go-chi/chi/v5)

`v5.2.2`

Compare Source

What's Changed

Use strings.Cut in a few places by @JRaspass in https://github.com/go-chi/chi/pull/971
Fix non-constant format strings in t.Fatalf by @JRaspass in https://github.com/go-chi/chi/pull/972
Apply fieldalignment fixes to optimize struct memory layout by @pixel365 in https://github.com/go-chi/chi/pull/974
go 1.24 by @pkieltyka in https://github.com/go-chi/chi/pull/977
chore: delint ioutil usage by @costela in https://github.com/go-chi/chi/pull/962
Fixed typo in Router interface definition by @mithileshgupta12 in https://github.com/go-chi/chi/pull/958
Add support for TinyGo by @efraimbart in https://github.com/go-chi/chi/pull/978
Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg by @cxjava in https://github.com/go-chi/chi/pull/982
Make use of strings.Cut by @scop in https://github.com/go-chi/chi/pull/1005
Change install command format to code block by @sglkc in https://github.com/go-chi/chi/pull/1001
Correct documentation by @mrdomino in https://github.com/go-chi/chi/pull/992

Security fix

Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
- a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
- reported by Anuraag Baishya, @anuraagbaishya. Thank you!

New Contributors

@pixel365 made their first contribution in https://github.com/go-chi/chi/pull/974
@mithileshgupta12 made their first contribution in https://github.com/go-chi/chi/pull/958
@efraimbart made their first contribution in https://github.com/go-chi/chi/pull/978
@cxjava made their first contribution in https://github.com/go-chi/chi/pull/982
@sglkc made their first contribution in https://github.com/go-chi/chi/pull/1001
@mrdomino made their first contribution in https://github.com/go-chi/chi/pull/992

Full Changelog: go-chi/chi@v5.2.1...v5.2.2

`v5.2.1`

Compare Source

⚠️ Chi supports Go 1.20+

Starting this release, we will now support the four most recent major versions of Go. See https://github.com/go-chi/chi/issues/963 for related discussion.

What's Changed

Support the four most recent major versions of Go by @VojtechVitek in https://github.com/go-chi/chi/pull/969

Full Changelog: go-chi/chi@v5.2.0...v5.2.1

`v5.2.0`

Compare Source

What's Changed

update credits section to link to goji license by @pkieltyka in https://github.com/go-chi/chi/pull/944
go 1.23 by @pkieltyka in https://github.com/go-chi/chi/pull/945
Make Context.RoutePattern() nil-safe by @gaiaz-iusipov in https://github.com/go-chi/chi/pull/927
govet: Fix non-constant format string by @marcofranssen in https://github.com/go-chi/chi/pull/952
Add Find to Routes interface by @joeriddles in https://github.com/go-chi/chi/pull/872
Fix grammar error by @AntonC9018 in https://github.com/go-chi/chi/pull/917
~feat(): add CF-Connecting-IP by @n33pm in https://github.com/go-chi/chi/pull/908~
- ~Revert "feat(): add CF-Connecting-IP" by @VojtechVitek in https://github.com/go-chi/chi/pull/966~
Fixed incorrect comment about routing by @jtams in https://github.com/go-chi/chi/pull/887
Fix condition in TestRedirectSlashes by @tchssk in https://github.com/go-chi/chi/pull/856
middleware: Add strip prefix middleware by @m1k1o in https://github.com/go-chi/chi/pull/875
Set up go module for _examples/versions by @hongkuancn in https://github.com/go-chi/chi/pull/948
Ability to specify response HTTP status code for Throttle middleware by @vasayxtx in https://github.com/go-chi/chi/pull/571
Support Content-Type headers with charset/boundary parameters by @GocaMaric in https://github.com/go-chi/chi/pull/880
Fix Mux.Find not correctly handling nested routes by @joeriddles in https://github.com/go-chi/chi/pull/954
fix(WrapResponseWriter): allow multiple informational statuses by @costela in https://github.com/go-chi/chi/pull/961

New Contributors

@gaiaz-iusipov made their first contribution in https://github.com/go-chi/chi/pull/927
@marcofranssen made their first contribution in https://github.com/go-chi/chi/pull/952
@joeriddles made their first contribution in https://github.com/go-chi/chi/pull/872
@AntonC9018 made their first contribution in https://github.com/go-chi/chi/pull/917
@n33pm made their first contribution in https://github.com/go-chi/chi/pull/908
@jtams made their first contribution in https://github.com/go-chi/chi/pull/887
@tchssk made their first contribution in https://github.com/go-chi/chi/pull/856
@m1k1o made their first contribution in https://github.com/go-chi/chi/pull/875
@hongkuancn made their first contribution in https://github.com/go-chi/chi/pull/948
@GocaMaric made their first contribution in https://github.com/go-chi/chi/pull/880
@costela made their first contribution in https://github.com/go-chi/chi/pull/961

Full Changelog: go-chi/chi@v5.1.0...v5.2.0

`v5.1.0`

Compare Source

What's Changed

middleware: add Discard method to WrapResponseWriter by @patrislav in https://github.com/go-chi/chi/pull/926
- Adds Discard() method to the middleware.WrapResponseWriter interface. This is technically an API breaking change. However after some discussion at https://github.com/go-chi/chi/pull/926#discussion_r16583334811, we decided to move forward, and release as minor version, as we don't expect anyone to rely on this interface / implement it externally.

New Contributors

@patrislav made their first contribution in https://github.com/go-chi/chi/pull/926

Full Changelog: go-chi/chi@v5.0.14...v5.1.0

`v5.0.14`

Compare Source

What's Changed

middleware: fix typo in RealIP doc by @l2dy in https://github.com/go-chi/chi/pull/903
reduce size of Context struct from 216 bytes to 208 bytes by @juburr in https://github.com/go-chi/chi/pull/912
Avoid possible memory leak in compress middleware by @Neurostep in https://github.com/go-chi/chi/pull/919
docs: Update stale links in docs for contributing by @Lutherwaves in https://github.com/go-chi/chi/pull/904
Revert "Avoid possible memory leak in compress middleware" by @VojtechVitek in https://github.com/go-chi/chi/pull/924

New Contributors

@l2dy made their first contribution in https://github.com/go-chi/chi/pull/903
@juburr made their first contribution in https://github.com/go-chi/chi/pull/912
@Neurostep made their first contribution in https://github.com/go-chi/chi/pull/919
@Lutherwaves made their first contribution in https://github.com/go-chi/chi/pull/904

Full Changelog: go-chi/chi@v5.0.12...v5.0.14

`v5.0.13`

Compare Source

What's Changed

middleware: fix typo in RealIP doc by @l2dy in https://github.com/go-chi/chi/pull/903
reduce size of Context struct from 216 bytes to 208 bytes by @juburr in https://github.com/go-chi/chi/pull/912
Avoid possible memory leak in compress middleware by @Neurostep in https://github.com/go-chi/chi/pull/919

New Contributors

@l2dy made their first contribution in https://github.com/go-chi/chi/pull/903
@juburr made their first contribution in https://github.com/go-chi/chi/pull/912
@Neurostep made their first contribution in https://github.com/go-chi/chi/pull/919

Full Changelog: go-chi/chi@v5.0.12...v5.0.13

`v5.0.12`

Compare Source

History of changes: see go-chi/chi@v5.0.11...v5.0.12

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2025-06-20T17:29:22Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go mod tidy
go: downloading github.com/stretchr/testify v1.8.4
go: downloading gotest.tools/v3 v3.5.1
go: downloading go.uber.org/goleak v1.2.1
go: downloading gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.10.0
go: downloading go.opentelemetry.io/otel/sdk v1.10.0
go: downloading github.com/kr/pretty v0.3.1
go: downloading github.com/morikuni/aec v1.0.0
go: downloading github.com/kr/text v0.2.0
go: downloading github.com/rogpeppe/go-internal v1.10.0
go: downloading github.com/sergi/go-diff v1.1.0
go: downloading github.com/stretchr/objx v0.5.0
go: finding module for package github.com/containerd/log
go: downloading github.com/containerd/log v0.1.0
go: finding module for package go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
go: downloading go.opentelemetry.io/otel v1.36.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0
go: downloading go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0
go: downloading go.opentelemetry.io v0.1.0
go: downloading go.opentelemetry.io/otel/exporters/otlp v0.20.1
go: finding module for package go.opentelemetry.io/otel/semconv/v1.21.0
go: found github.com/containerd/log in github.com/containerd/log v0.1.0
go: found go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp in go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.36.0
go: found go.opentelemetry.io/otel/semconv/v1.21.0 in go.opentelemetry.io/otel v1.36.0
go: downloading golang.org/x/crypto v0.38.0
go: downloading golang.org/x/sys v0.33.0
go: downloading golang.org/x/term v0.32.0
go: downloading github.com/go-logr/logr v1.4.2
go: downloading github.com/google/go-cmp v0.7.0
go: downloading github.com/stretchr/testify v1.10.0
go: downloading golang.org/x/net v0.40.0
go: downloading go.opentelemetry.io/otel/trace v1.36.0
go: downloading google.golang.org/protobuf v1.36.6
go: downloading github.com/google/uuid v1.6.0
go: downloading go.opentelemetry.io/otel/metric v1.36.0
go: downloading go.opentelemetry.io/otel/sdk v1.36.0
go: downloading golang.org/x/sync v0.14.0
go: downloading golang.org/x/text v0.25.0
go: downloading golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d
go: downloading github.com/sirupsen/logrus v1.9.3
go: downloading go.opentelemetry.io/proto/otlp v1.6.0
go: downloading go.opentelemetry.io/auto/sdk v1.1.0
go: downloading google.golang.org/grpc v1.72.1
go: downloading github.com/cenkalti/backoff/v5 v5.0.2
go: downloading github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3
go: downloading github.com/grpc-ecosystem/grpc-gateway v1.16.0
go: downloading golang.org/x/mod v0.17.0
go: downloading google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237
go: downloading google.golang.org/genproto v0.0.0-20230526161137-0005af68ea54
go: downloading google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237
go: downloading go.uber.org/goleak v1.3.0
go: downloading github.com/rogpeppe/go-internal v1.13.1
go: finding module for package go.opentelemetry.io/otel/metric/global
go: finding module for package go.opentelemetry.io/otel/metric/instrument/syncfloat64
go: finding module for package go.opentelemetry.io/otel/metric/instrument/syncint64
go: github.com/janog-netcon/netcon-problem-management-subsystem/cmd/nclet imports
	github.com/docker/docker/client imports
	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp imports
	go.opentelemetry.io/otel/metric/global: module go.opentelemetry.io/otel/metric@latest found (v1.36.0), but does not contain package go.opentelemetry.io/otel/metric/global
go: github.com/janog-netcon/netcon-problem-management-subsystem/cmd/nclet imports
	github.com/docker/docker/client imports
	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp imports
	go.opentelemetry.io/otel/metric/instrument/syncfloat64: module go.opentelemetry.io/otel/metric@latest found (v1.36.0), but does not contain package go.opentelemetry.io/otel/metric/instrument/syncfloat64
go: github.com/janog-netcon/netcon-problem-management-subsystem/cmd/nclet imports
	github.com/docker/docker/client imports
	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp imports
	go.opentelemetry.io/otel/metric/instrument/syncint64: module go.opentelemetry.io/otel/metric@latest found (v1.36.0), but does not contain package go.opentelemetry.io/otel/metric/instrument/syncint64

Update module github.com/go-chi/chi/v5 to v5.2.2 [SECURITY]

1c81c54

renovate bot requested a review from proelbtn June 20, 2025 17:29

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update module github.com/go-chi/chi/v5 to v5.2.2 [SECURITY] #198

Update module github.com/go-chi/chi/v5 to v5.2.2 [SECURITY] #198

Uh oh!

renovate bot commented Jun 20, 2025 •

edited

Loading

Uh oh!

renovate bot commented Jun 20, 2025

Uh oh!

Uh oh!

Update module github.com/go-chi/chi/v5 to v5.2.2 [SECURITY] #198

Are you sure you want to change the base?

Update module github.com/go-chi/chi/v5 to v5.2.2 [SECURITY] #198

Uh oh!

Conversation

renovate bot commented Jun 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Summary

Details

PoC

Impact

Potential mitigation

chi Allows Host Header Injection which Leads to Open Redirect in RedirectSlashes

Details

Summary

Details

PoC

Impact

Potential mitigation

Severity

References

Release Notes

What's Changed

Security fix

New Contributors

⚠️ Chi supports Go 1.20+

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

Configuration

Uh oh!

renovate bot commented Jun 20, 2025

⚠️ Artifact update problem

File name: go.sum

Uh oh!

Uh oh!

renovate bot commented Jun 20, 2025 •

edited

Loading