Skip to content

hyper-staticfile's location header incorporates user input, allowing open redirect

Moderate severity GitHub Reviewed Published Dec 30, 2022 to the GitHub Advisory Database • Updated Jan 7, 2023

Package

cargo hyper-staticfile (Rust)

Affected versions

< 0.9.4
>= 0.10.0-alpha.1, < 0.10.0-alpha.5

Patched versions

0.9.4
0.10.0-alpha.5

Description

When hyper-staticfile performs a redirect for a directory request (e.g. a request for /dir that redirects to /dir/), the Location header value was derived from user input (the request path), simply appending a slash. The intent was to perform an origin-relative redirect, but specific inputs allowed performing a scheme-relative redirect instead.

An attacker could craft a special URL that would appear to be for the correct domain, but immediately redirects to a malicious domain. Such a URL can benefit phishing attacks, for example an innocent looking link in an email.

References

Published to the GitHub Advisory Database Dec 30, 2022
Reviewed Dec 30, 2022
Last updated Jan 7, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-5wvv-q5fv-2388

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.