Skip to content

fix(deps): update module github.com/go-chi/chi/v5 to v5.2.2 [security] #2035

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module github.com/go-chi/chi/v5 to v5.2.2 [security] #2035

wants to merge 1 commit into from
+6 −6

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 17, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/go-chi/chi/v5 v5.0.10 -> v5.2.2 age confidence

GitHub Vulnerability Alerts

GHSA-vrw8-fxc6-2r93

Summary

The RedirectSlashes function in middleware/strip.go is vulnerable to host header injection which leads to open redirect.

Details

The RedirectSlashes method uses the Host header to construct the redirectURL at this line https://github.com/go-chi/chi/blob/v5.2.1/middleware/strip.go#L55

The Host header can be manipulated by a user to be any arbitrary host. This leads to open redirect when using the RedirectSlashes middleware

PoC

Create a simple server which uses the RedirectSlashes middleware

package main

import (
	"fmt"
	"net/http"

	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware" // Import the middleware package
)

func main() {
	// Create a new Chi router
	r := chi.NewRouter()

	// Use the built-in RedirectSlashes middleware
	r.Use(middleware.RedirectSlashes) // Use middleware.RedirectSlashes

	// Define a route handler
	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
		// A simple response
		w.Write([]byte("Hello, World!"))
	})

	// Start the server
	fmt.Println("Starting server on :8080")
	http.ListenAndServe(":8080", r)
}

Run the server go run main.go

Once the server is running, send a request that will trigger the RedirectSlashes function with an arbitrary Host header
curl -iL -H "Host: example.com" http://localhost:8080/test/

Observe that the request will be redirected to example.com

curl -L -H "Host: example.com" http://localhost:8080/test/

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;
... snipped ...

Without the host header, the response is returned from the test server

curl -L http://localhost:8080/test/

404 page not found

Impact

An open redirect vulnerability allows attackers to trick users into visiting malicious sites. This can lead to phishing attacks, credential theft, and malware distribution, as users trust the application’s domain while being redirected to harmful sites.

Potential mitigation

It seems that the purpose of the RedirectSlashes function is to redirect within the same application. In that case r.RequestURI can be used instead of r.Host by default. If there is a use case to redirect to a different host, a flag can be added to use the Host header instead. As this flag will be controlled by the developer they will make the decision of allowing redirects to arbitrary hosts based on their judgement.

Release Notes

go-chi/chi (github.com/go-chi/chi/v5)

v5.2.2

Compare Source

What's Changed

Security fix

  • Fixes GHSA-vrw8-fxc6-2r93 - "Host Header Injection Leads to Open Redirect in RedirectSlashes" commit
    • a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header
    • reported by Anuraag Baishya, @​anuraagbaishya. Thank you!

New Contributors

Full Changelog: go-chi/chi@v5.2.1...v5.2.2

v5.2.1

Compare Source

⚠️ Chi supports Go 1.20+

Starting this release, we will now support the four most recent major versions of Go. See https://github.com/go-chi/chi/issues/963 for related discussion.

What's Changed

Full Changelog: go-chi/chi@v5.2.0...v5.2.1

v5.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-chi/chi@v5.1.0...v5.2.0

v5.1.0

Compare Source

What's Changed
New Contributors

Full Changelog: go-chi/chi@v5.0.14...v5.1.0

v5.0.14

Compare Source

What's Changed
New Contributors

Full Changelog: go-chi/chi@v5.0.12...v5.0.14

v5.0.13

Compare Source

What's Changed
New Contributors

Full Changelog: go-chi/chi@v5.0.12...v5.0.13

v5.0.12

Compare Source

v5.0.11

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jul 17, 2025
@renovate renovate bot requested a review from a team as a code owner July 17, 2025 15:22
@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jul 17, 2025
@socket-security Socket Security
Copy link

socket-security bot commented Jul 17, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedgithub.com/​go-chi/​chi/​v5@​v5.0.10 ⏵ v5.2.270 +1100 +2100100100

View full report

@kusari-inspector Kusari Inspector
Copy link

kusari-inspector bot commented Jul 17, 2025
edited
Loading

Kusari Analysis Results

Analysis for commit: 42ff3d0, performed at: 2025-08-10T14:55:28Z

@kusari-inspector rerun - Trigger a re-analysis of this PR

@kusari-inspector feedback [your message] - Send feedback to our AI and team

Recommendation

✅ PROCEED with this Pull Request

Summary

No Flagged Issues Detected

All values appear to be within acceptable risk parameters.

Both dependency and code security analyses independently recommend proceeding with this PR. The update addresses a moderate severity vulnerability (GHSA-vrw8-fxc6-2r93) related to host header injection in the RedirectSlashes middleware by upgrading go-chi/chi/v5 from 5.0.10 to 5.2.2. The new version has no known vulnerabilities and the code analysis found zero security issues across all categories. While the package has a low maintenance score, this concern is mitigated by its limited usage in examples and test directories only. The security benefits of fixing the vulnerability clearly outweigh the maintenance concerns, and no new risks are introduced by this update.

Found this helpful? Give it a 👍 or 👎 reaction!

Click to expand for details and specific link to issues

Dependency Changes

Status Package Change Version Latest Version Advisories License
⚠️ Flagged github.com/go-chi/chi/v5 updated 5.0.10 → 5.2.2 v5.2.2 None MIT (permissive)
⚠️ Flagged github.com/go-chi/chi/v5 updated 5.0.10 → 5.2.2 v5.2.2 None MIT (permissive)

Risk Details

github.com/go-chi/chi/v5:
Scorecard Checks for pkg:golang/github.com%2Fgo-chi%2Fchi%2Fv5@v5.2.2:

  • maintained: 3/10 ⚠️ Repo is not maintained actively in the last 90 days.
  • code-review: 8/10

github.com/go-chi/chi/v5:
Scorecard Checks for pkg:golang/github.com%2Fgo-chi%2Fchi%2Fv5@v5.2.2:

  • maintained: 3/10 ⚠️ Repo is not maintained actively in the last 90 days.
  • code-review: 8/10

@renovate renovate bot force-pushed the renovate/go-github.com-go-chi-chi-v5-vulnerability branch from 32602f3 to 42ff3d0 Compare August 10, 2025 14:53
@kusari-inspector Kusari Inspector
Copy link

Kusari PR Analysis rerun based on - 42ff3d0 performed at: 2025-08-10T14:54:04Z - link to updated analysis

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants