Open Redirect in go-gitea/gitea
Description
Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Gitea prior to 1.19.4 has an open redirect vulnerability due to incomplete validation of redirect location prefixes, allowing attackers to redirect users to malicious sites.
Vulnerability
Overview
CVE-2023-3515 is an open redirect vulnerability in Gitea, a self-hosted Git service, affecting versions prior to 1.19.4. The root cause lies in the RedirectToFirst function, which insufficiently sanitizes redirect location prefixes. Specifically, the code only checked for leading // or /\, but failed to block sequences like \\ or \/, which browsers interpret as protocol-relative URLs, enabling redirection to arbitrary external domains [1][3].
Exploitation
An attacker can exploit this vulnerability by crafting a URL that includes a specially crafted redirect parameter, such as \attacker.com. When a user clicks on such a link, Gitea's redirect logic incorrectly treats it as a relative path, but browsers interpret the leading backslash as part of a protocol-relative URL, causing the user to be redirected to the attacker's domain. No authentication is required, and the attack can be delivered via phishing links or embedded in third-party sites that leverage Gitea's redirect functionality [3].
Impact
Successful exploitation allows an attacker to redirect users to malicious websites, facilitating phishing attacks, credential theft, or malware distribution. While the vulnerability itself does not directly expose sensitive data, it weakens trust in the service and can be used as a stepping stone for further attacks [4].
Mitigation
The vulnerability has been patched in Gitea version 1.19.4. Users are strongly advised to upgrade to the latest version or apply the patch from commit 9aaaf98 [3]. Gentoo has also released a GLSA (202312-13) recommending the upgrade to version 1.20.6 or later [4]. No workarounds are available.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
code.gitea.io/giteaGo | < 1.19.4 | 1.19.4 |
Affected products
5- osv-coords4 versions
< 0+ 3 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.19.4
- (no CPE)range: < 1.19.4
- go-gitea/go-gitea/giteav5Range: unspecified
Patches
19aaaf980f0baFix open redirect check for more cases (#25143)
1 file changed · +2 −2
modules/context/context_response.go+2 −2 modified@@ -49,9 +49,9 @@ func (ctx *Context) RedirectToFirst(location ...string) { continue } - // Unfortunately browsers consider a redirect Location with preceding "//" and "/\" as meaning redirect to "http(s)://REST_OF_PATH" + // Unfortunately browsers consider a redirect Location with preceding "//", "\\" and "/\" as meaning redirect to "http(s)://REST_OF_PATH" // Therefore we should ignore these redirect locations to prevent open redirects - if len(loc) > 1 && loc[0] == '/' && (loc[1] == '/' || loc[1] == '\\') { + if len(loc) > 1 && (loc[0] == '/' || loc[0] == '\\') && (loc[1] == '/' || loc[1] == '\\') { continue }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.