Open Redirect on follow/unfollow user's profile action in go-gitea/gitea


Reported on

Jun 7th 2023


The idea is similar to CVE-2022-1058 ( ). Browsers interpreted \\ -> and lead to open redirect

Proof of Concept

The vulnerable API is lie in follow/unfollow action on user's profile.
In order to quickly reproduce the bug:

  • Click on any User Profile
  • Click Follow/Unfollow
  • Intercept API calls with burp

Vulnerable parameter: redirect_to

POST /admin123?action=follow&redirect_to=\\ HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: null
Connection: close
Cookie: i_like_gitea=7c60991704df67dd; lang=en-US; _csrf=kxOfYgnfpMMIT6mWaCfzPYRHdI46MTY4NjA0MjMxNDcwMTE0ODY5OQ
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1


Response from server:

HTTP/1.1 302 Found
Location: /\\
Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
Date: Wed, 07 Jun 2023 07:32:30 GMT
Content-Length: 0
Connection: close

Following a successful POST request will redirect user back to . Location header will be set to /\\ and will be interpreted by the browser as a redirect to //


This is most likely a post-auth redirect plus it is a POST based request scenario so less likely that can be exploited or chained with other bugs that can cause phishing or stealing credentails.

We are processing your report and will contact the go-gitea/gitea team within 24 hours. 3 months ago
Quang Vo modified the report
3 months ago
Quang Vo
3 months ago


@admin Hi huntrdev admin, Can I ask have you made contacted with the repo maintainers ?

We have contacted a member of the go-gitea/gitea team and are waiting to hear back 3 months ago
Lauris BH modified the Severity from Medium (6.4) to Low (3) 3 months ago
Lauris BH
3 months ago


I have updated CVSS complexity to high as while redirect URL parameter is not checked correctly, I see no way this can be abused in any way because of other security measures already in place, For higher CVSS PoC would need to be provided on how this can be abused without intercepting request and modifying it manually

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Lauris BH validated this vulnerability 3 months ago

Fix has been submitted:

Quang Vo has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Quang Vo
3 months ago


Hey @Lauris BH, you were right about the complexity. Currently there is no way that this can be abused or turned into a GET based open redirect, so the complexity will be high. Thanks for your correction

Quang Vo submitted a
3 months ago
Lauris BH
3 months ago


@Quang Vo I have already submitted patch

Quang Vo
3 months ago


Hi @Lauris BH , I saw that haha. Out of curiosity question, will there be any CVE for this vulnerability ?. I understand that the severity is low, just asking to understand how this platform and how the process work

3 months ago


I believe requests CVEs for accepted issues published through their platform

Lauris BH
3 months ago


I think will assign CVE for this, we are still in process to become aCNA to manage CVE's for Gitea ourselfs

Lauris BH marked this as fixed in 1.19.4 with commit 9aaaf9 3 months ago
Lauris BH has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jul 8th 2023
Lauris BH gave praise 3 months ago
Thanks for finding and reporting this issue
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Quang Vo
3 months ago


Ahh okay thanks a lot guys. I guess I'll hear from @admin soon. It's been a pleasure working with you guys

Ben Harvie
3 months ago


Hi, the CVE will be assigned and published on July 8th 2023 when this report goes live:)

Lauris BH published this vulnerability 3 months ago
to join this conversation