CVE-2026-25779
Published:June 17, 2026
Updated:June 18, 2026
Details Despite the validation within "urlIsRelative" in "modules/httplib/url.go", an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter. PoC When a user uses this URL to login: "https://gitea.com/user/login?redirect_to=/a/../\example.com" They would be redirected to "example.com" upon a successful login to their gitea account. Impact * Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages * OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect * Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header * Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users
Affected Packages
github.com/go-gitea/gitea (GO):
Affected version(s) >=v0.0.0-20140212020143-475e3471b4e8 <v1.25.5Fix Suggestion:
Update to version v1.25.5Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
ACTIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
URL Redirection to Untrusted Site ('Open Redirect')