Skip to content

fix(deps): update module github.com/go-chi/chi/v5 to v5.2.2 [security] - autoclosed#2035

Closed
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-go-chi-chi-v5-vulnerability
Closed

fix(deps): update module github.com/go-chi/chi/v5 to v5.2.2 [security] - autoclosed#2035
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-go-chi-chi-v5-vulnerability

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jul 17, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/go-chi/chi/v5 v5.0.10 -> v5.2.2 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-vrw8-fxc6-2r93

Summary

The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

We consider this a lower-severity open redirect, as it can't be exploited from browsers or email clients (requires manipulation of a Host header).

Details

The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/master/middleware/strip.go#L55

The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware

PoC

Create a simple server which uses the RedirectSlashes middleware

package main

import (
	"fmt"
	"net/http"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware" // Import the middleware package
)

func main() {
	// Create a new Chi router
	r := chi.NewRouter()

	// Use the built-in RedirectSlashes middleware
	r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes

	// Define a route handler
	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
		// A simple response
		w.Write([]byte("Hello, World!"))
	})

	// Start the server
	fmt.Println("Starting server on :8080")
	http.ListenAndServe(":8080", r)
}

Run the server go run main.go

Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header
curl -iL -H "Host: example.com" http://localhost:8080/test/

Observe that the request will be redirected to example.com

curl -L -H "Host: example.com" http://localhost:8080/test/

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
... snipped ...

Without the host header, the response is returned from the test server

curl -L http://localhost:8080/test/

404 page not found

Impact

An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.

Potential mitigation

It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.

Release Notes

go-chi/chi (github.com/go-chi/chi/v5)

v5.2.2

Compare Source

What's Changed

Security fix

  • Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
    • a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
    • reported by Anuraag Baishya, @​anuraagbaishya. Thank you!

New Contributors

Full Changelog: go-chi/chi@v5.2.1...v5.2.2

v5.2.1

Compare Source

⚠️ Chi supports Go 1.20+

Starting this release, we will now support the four most recent major versions of Go. See #​963 for related discussion.

What's Changed

Full Changelog: go-chi/chi@v5.2.0...v5.2.1

v5.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-chi/chi@v5.1.0...v5.2.0

v5.1.0

Compare Source

What's Changed

  • middleware: add Discard method to WrapResponseWriter by @​patrislav in #​926
    • Adds Discard() method to the middleware.WrapResponseWriter interface. This is technically an API breaking change. However after some discussion at #​926 (comment), we decided to move forward, and release as minor version, as we don't expect anyone to rely on this interface / implement it externally.

New Contributors

Full Changelog: go-chi/chi@v5.0.14...v5.1.0

v5.0.14

Compare Source

What's Changed

New Contributors

Full Changelog: go-chi/chi@v5.0.12...v5.0.14

v5.0.13

Compare Source

What's Changed

New Contributors

Full Changelog: go-chi/chi@v5.0.12...v5.0.13

v5.0.12

Compare Source

v5.0.11

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jul 17, 2025
@renovate renovate bot requested a review from a team as a code owner July 17, 2025 15:22
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jul 17, 2025
@socket-security
Copy link

socket-security bot commented Jul 17, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub.com/​go-chi/​chi/​v5@​v5.0.10 ⏵ v5.2.270 +1100 +2100100100

View full report

@kusari-inspector
Copy link

kusari-inspector bot commented Jul 17, 2025
edited
Loading

Kusari Inspector

Kusari Analysis Results:

Proceed with these changes

✅ No Flagged Issues Detected
All values appear to be within acceptable risk parameters.

Both dependency and code security analyses unanimously support proceeding with this PR. The update resolves a moderate severity open redirect vulnerability (GHSA-vrw8-fxc6-2r93) in go-chi/chi/v5 by upgrading from vulnerable version 5.0.10 to patched version 5.2.2. Code analysis confirms zero security issues across all categories, validating that no new vulnerabilities are introduced. This represents a clear net positive security improvement with minimal risk. The only minor consideration is potentially updating to version 5.2.3 for the latest patches, but version 5.2.2 already contains the critical security fix needed.

Note

View full detailed analysis result for more information on the output and the checks that were run.

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 26abf25, performed at: 2025-09-25T17:10:49Z

Found this helpful? Give it a 👍 or 👎 reaction!

@renovate renovate bot force-pushed the renovate/go-github.com-go-chi-chi-v5-vulnerability branch from 32602f3 to 42ff3d0 Compare August 10, 2025 14:53
@kusari-inspector
Copy link

kusari-inspector bot commented Aug 10, 2025

Kusari PR Analysis rerun based on - 42ff3d0 performed at: 2025-08-10T14:54:04Z - link to updated analysis

@renovate renovate bot force-pushed the renovate/go-github.com-go-chi-chi-v5-vulnerability branch from 42ff3d0 to 62ebb9b Compare September 25, 2025 14:04
@kusari-inspector
Copy link

kusari-inspector bot commented Sep 25, 2025

Kusari PR Analysis rerun based on - 62ebb9b performed at: 2025-09-25T14:06:15Z - link to updated analysis

@renovate renovate bot force-pushed the renovate/go-github.com-go-chi-chi-v5-vulnerability branch from 62ebb9b to 2ffc880 Compare September 25, 2025 16:53
@kusari-inspector
Copy link

kusari-inspector bot commented Sep 25, 2025

Kusari PR Analysis rerun based on - 2ffc880 performed at: 2025-09-25T16:55:10Z - link to updated analysis

@renovate renovate bot force-pushed the renovate/go-github.com-go-chi-chi-v5-vulnerability branch from 2ffc880 to 26abf25 Compare September 25, 2025 17:10
@kusari-inspector
Copy link

kusari-inspector bot commented Sep 25, 2025

Kusari PR Analysis rerun based on - 26abf25 performed at: 2025-09-25T17:12:02Z - link to updated analysis

@renovate renovate bot changed the title fix(deps): update module github.com/go-chi/chi/v5 to v5.2.2 [security] fix(deps): update module github.com/go-chi/chi/v5 to v5.2.2 [security] - autoclosed Nov 1, 2025
@renovate renovate bot closed this Nov 1, 2025
@renovate renovate bot deleted the renovate/go-github.com-go-chi-chi-v5-vulnerability branch November 1, 2025 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants