CVE-2021-45328
Description
Gitea before 1.4.3 is affected by URL Redirection to Untrusted Site ('Open Redirect') via internal URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gitea before 1.4.3 suffers from an open redirect vulnerability via crafted internal URLs, enabling potential phishing attacks.
Vulnerability
Gitea versions prior to 1.4.3 are vulnerable to an open redirect attack through internal URLs. The flaw exists because the application does not properly validate destination URLs when processing certain internal links, such as those used to view repository files. This allows an attacker to craft a link that appears to be internal but redirects to an arbitrary external site [3].
Exploitation
An attacker can exploit this by constructing a malicious URL that leverages internal routes (e.g., those involving symlinks that point outside the repository) to redirect users to an untrusted external domain. The attack requires no authentication and only relies on user interaction, such as clicking on the crafted link [3].
Impact
Successful exploitation enables an attacker to redirect victims to any external website, facilitating phishing attacks or credential theft. The impact is limited to social engineering; no direct code execution or data compromise is possible [3].
Mitigation
The vulnerability was fixed in Gitea version 1.4.3, released in June 2018. Users should upgrade to this version or later immediately [2]. No workarounds are available for affected versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/go-gitea/giteaGo | < 1.4.3 | 1.4.3 |
Affected products
3- Gitea/Giteadescription
- osv-coords2 versions
< 1.4.3+ 1 more
- (no CPE)range: < 1.4.3
- (no CPE)range: < 1.4.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-36h2-95gj-w488ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-45328ghsaADVISORY
- blog.gitea.io/2018/06/release-of-1.4.3ghsaWEB
- blog.gitea.io/2018/06/release-of-1.4.3/mitrex_refsource_MISC
- github.com/go-gitea/gitea/issues/4332ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.