Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Network-accessible login endpoint requires no attacker privileges; victim must actively click crafted link and authenticate; no availability impact and scope unchanged.
Primary rating from Vendor (https://github.com/gogs/gogs).
CVSS VectorVendor: https://github.com/gogs/gogs
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Summary
An open redirect vulnerability exists in Gogs where attacker-controlled redirect_to parameters can bypass validation, allowing redirection to arbitrary external sites.
Details
All redirects in Gogs that are validated via the IsSameSite function are vulnerable:
func IsSameSite(url string) bool {
return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
}The function only inspects the first two characters of the URL string. This check fails to account for directory traversal sequences followed by backslashes. For example:
/a/../\example.comThe IsSameSite function checks the input supplied to the redirect_to query parameter value /a/../\example.com and considers it valid.
Because web browsers normalize backslashes \ to forward slashes /, the normalized URL becomes //example.com.
The normalized URL becomes:
//example.comResulting in a cross-origin redirect.
This affects all endpoints using the redirect_to query parameter, including login and other post-action flows.
PoC
- An attacker can provide a user with a link to login to Gogs with a
redirect_toquery parameter that redirects a user to a site the attacker wants them to visit:
http://192.168.236.132:3000/user/login?redirect_to=/a/../\example.com<img width="1339" height="536" alt="image" src="https://github.com/user-attachments/assets/3c2a13b8-f0b7-42c2-a223-6f0ebf083589" />
<br> <br>
- After the user successfully logs in, they would be redirected to the site an attacker wants them to visit:
<img width="1066" height="463" alt="image" src="https://github.com/user-attachments/assets/1726a3d9-6705-43cc-bdd2-90aad105d021" />
<img width="1097" height="396" alt="image" src="https://github.com/user-attachments/assets/376052f5-0e00-4d14-a548-fa75a6269530" />
Impact
- Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages
- OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect
- Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header
- Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users
AnalysisAI
Open redirect in Gogs versions up to and including 0.14.2 allows unauthenticated remote attackers to craft login URLs that redirect authenticated users to arbitrary external sites after successful login. The root cause is a two-character-only URL validation in the IsSameSite() function: the path /a/../\example.com passes server-side inspection but resolves to //example.com after browsers normalize backslashes to forward slashes. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must deliver a crafted Gogs URL containing a `redirect_to` parameter with a backslash-based bypass path (e.g., `/a/../\attacker.com`) to a victim user who then clicks the link and completes authentication on the Gogs instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N yields a score of 5.4, reflecting that exploitation requires victim interaction (the user must click a crafted URL and complete login) but imposes no complexity or privilege requirements on the attacker. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker distributes a phishing message containing a legitimate-looking Gogs login URL with `redirect_to=/a/../\attacker.com` appended as a query parameter. The victim clicks the link, is presented with their real Gogs login page, and upon successful authentication is silently redirected to the attacker-controlled domain where a credential-harvesting page or token-capture endpoint is hosted. … |
| Remediation | Upgrade Gogs to version 0.14.3 or later, which resolves the issue via PR #8322 (commit c5da9631dc75f692f313373ae229c4d47ba6517f). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39068
GHSA-xxhq-69mf-w8cr