Open Redirect on login in go-gitea/gitea
Description
Open Redirect on login in GitHub repository go-gitea/gitea prior to 1.16.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gitea before 1.16.5 contains an open redirect via specially crafted login redirect paths.
Vulnerability
Gitea versions prior to 1.16.5 contain an open redirect vulnerability during the login process. The issue occurs because the software accepts redirection locations that begin with a backslash followed by a forward slash (/\), which browsers interpret as a protocol-relative URL (//), allowing an attacker to redirect users to arbitrary external domains. This was fixed in pull request #19175 by rejecting such malformed redirect paths [1] [4].
Exploitation
An attacker can exploit this vulnerability by crafting a login URL that includes a malicious redirect parameter starting with /\ followed by an external domain (e.g., /\attacker.com). No authentication or special access is required; the attacker only needs to trick a victim into clicking such a link. The browser then interprets the path as a protocol-relative URL and redirects the user to the attacker-controlled site after a successful login [1] [4].
Impact
Successful exploitation allows an attacker to redirect a victim to an arbitrary external website after login. This can be used for phishing attacks, credential theft, or distributing malware, compromising the victim's trust and security. The vulnerability is classified as open redirect (CWE-601) with a CVSS score indicating medium severity [3].
Mitigation
The vulnerability is fixed in Gitea version 1.16.5, released on or around March 23, 2022. Administrators should upgrade to this version or later. No workaround other than patching is available. The commit that resolves the issue is e3d8e92bdc67562783de9a76b5b7842b68daeb48 [3]. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.gitea.io/giteaGo | < 1.16.5 | 1.16.5 |
Affected products
3- osv-coords2 versions
< 1.16.5+ 1 more
- (no CPE)range: < 1.16.5
- (no CPE)range: < 1.16.5
- go-gitea/go-gitea/giteav5Range: unspecified
Patches
1e3d8e92bdc67Prevent redirect to Host (2) (#19175) (#19186)
1 file changed · +6 −0
modules/context/context.go+6 −0 modified@@ -181,6 +181,12 @@ func (ctx *Context) RedirectToFirst(location ...string) { continue } + // Unfortunately browsers consider a redirect Location with preceding "//" and "/\" as meaning redirect to "http(s)://REST_OF_PATH" + // Therefore we should ignore these redirect locations to prevent open redirects + if len(loc) > 1 && loc[0] == '/' && (loc[1] == '/' || loc[1] == '\\') { + continue + } + u, err := url.Parse(loc) if err != nil || ((u.Scheme != "" || u.Host != "") && !strings.HasPrefix(strings.ToLower(loc), strings.ToLower(setting.AppURL))) { continue
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-4rqq-rxvc-v2rcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-1058ghsaADVISORY
- github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48ghsax_refsource_MISCWEB
- github.com/go-gitea/gitea/pull/19175ghsaWEB
- github.com/go-gitea/gitea/pull/19186ghsaWEB
- huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0dghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.