CVE-2018-15178
Description
Open redirect vulnerability in Gogs before 0.12 allows remote attackers to redirect users to arbitrary websites and conduct phishing attacks via an initial /\ substring in the user/login redirect_to parameter, related to the function isValidRedirect in routes/user/auth.go.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Open redirect in Gogs before 0.12 allows phishing via a crafted redirect_to parameter using an initial /\ substring.
Vulnerability
An open redirect vulnerability exists in Gogs versions before 0.12. The flaw resides in the isValidRedirect function in routes/user/auth.go, which is used during login to validate that the redirect_to parameter points to the same site. The function incorrectly treats a URL starting with /\ as safe, because it only checks that the first character is / and the second is not /. However, browsers normalize /\ to //, enabling an open redirect to an arbitrary external domain [1][3].
Exploitation
An attacker can craft a login URL such as https://victim-gogs.com/user/login?redirect_to=/\attacker.com. When a victim clicks the link and logs in, the isValidRedirect function returns true for the path /\attacker.com. The browser then interprets the Location header as //attacker.com, which is treated as a protocol-relative URL pointing to attacker.com. No authentication or special privileges are required; the attacker only needs to trick the user into visiting the crafted link [2][3].
Impact
Successful exploitation redirects the victim to an arbitrary external website after login. This can be used for phishing attacks, where the attacker hosts a fake login page to steal credentials, or for other social engineering schemes. The redirect occurs in the context of the Gogs application, so the victim may believe they are still on the legitimate site [2][3].
Mitigation
The vulnerability is fixed in Gogs version 0.12. The fix modifies isValidRedirect to also reject URLs where the second character is a backslash (\), as shown in commit 1f247cf [4]. Users should upgrade to Gogs 0.12 or later. No workaround is available for earlier versions [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.12.0 | 0.12.0 |
Affected products
1Patches
2f17e7d5a2c36release: remove dev version notion
1 file changed · +1 −1
gogs.go+1 −1 modified@@ -18,7 +18,7 @@ import ( ) func init() { - conf.App.Version = "0.12.0+dev" + conf.App.Version = "0.12.0" } func main() {
1f247cf8139croutes: fix open redirect vulnerability #5364 (#5365)
1 file changed · +2 −2
routes/user/auth.go+2 −2 modified@@ -73,10 +73,10 @@ func AutoLogin(c *context.Context) (bool, error) { } // isValidRedirect returns false if the URL does not redirect to same site. -// False: //url, http://url +// False: //url, http://url, /\url // True: /url func isValidRedirect(url string) bool { - return len(url) >= 2 && url[0] == '/' && url[1] != '/' + return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\' } func Login(c *context.Context) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-cpgw-2wxr-pww3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-15178ghsaADVISORY
- github.com/gogs/gogs/commit/1f247cf8139cb483276cd8dd06385a800ce9d4b2ghsaWEB
- github.com/gogs/gogs/issues/5364ghsax_refsource_MISCWEB
- github.com/gogs/gogs/pull/5365ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.