VYPR
← All advisories
Medium severity5.1NVD Advisory· Published Jun 17, 2026· Updated Jun 17, 2026

Gitea: Open Redirect via redirect_to

CVE-2026-25779

Description

Details

Despite the validation within urlIsRelative in modules/httplib/url.go, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter.

PoC

When a user uses this URL to login:

https://gitea.com/user/login?redirect_to=/a/../\example.com

They would be redirected to example.com upon a successful login to their gitea account.

Impact

  • Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
  • OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
  • Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
  • Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

Root cause

"The `urlIsRelative` validation in `modules/httplib/url.go` does not block directory traversal sequences combined with a back-slash, allowing an open redirect."

Attack vector

An attacker crafts a login URL such as `https://gitea.com/user/login?redirect_to=/a/../\example.com`. When a victim authenticates successfully, Gitea's `urlIsRelative` function incorrectly treats the manipulated `redirect_to` parameter as relative, but the directory traversal (`/a/../`) combined with a back-slash (`\`) causes the browser to interpret the final target as `example.com`. This open redirect can be used for phishing, OAuth/SSO token theft, referer leakage, or cache poisoning [ref_id=1][ref_id=2].

Affected code

The vulnerability resides in the `urlIsRelative` validation function in `modules/httplib/url.go`. The function fails to account for directory traversal sequences combined with a back-slash, allowing an attacker to bypass the relative-URL check.

What the fix does

The advisory does not include a published patch diff. The recommended fix would need to strengthen the `urlIsRelative` function in `modules/httplib/url.go` to reject `redirect_to` values that contain directory traversal sequences (`../`) combined with back-slashes, or to normalize the path before validation. Without a patch, the advisory states that versions <= 1.25.4 are affected [ref_id=1][ref_id=2].

Preconditions

  • inputThe attacker must trick a user into visiting a crafted login URL on a Gitea instance
  • authThe victim must successfully authenticate (log in) to their Gitea account
  • configThe Gitea instance must be running version <= 1.25.4

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.