Slashing Through the Safety Nets: The go-chi Open Redirect

Amit Schendel

Senior Security Researcher

Jan 15, 2026·6 min read·5 visits

PoC Available

Executive Summary (TL;DR)

The `RedirectSlashes` middleware in go-chi/chi attempted to clean up URLs by removing trailing slashes but failed to account for backslashes. By sending a request like `/ arget.com/`, attackers can trick the server into issuing a redirect to `/ arget.com`. Most modern browsers interpret this as a protocol-relative URL (`//target.com`), redirecting the victim to an external malicious domain.

A logic error in the popular Go router 'chi' middleware allows attackers to bypass open redirect protections using backslashes.

Attack Flow Diagram

Official Patches

go-chiCommit fixing the redirect logic

Fix Analysis (1)

Technical Appendix

CVSS Score

4.7/ 10

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

EPSS Probability

0.04%

Top 100% most exploited

Affected Systems

Go applications using chi routerServices utilizing middleware.RedirectSlashesWeb applications exposed to public traffic

Affected Versions Detail

Product	Affected Versions	Fixed Version
github.com/go-chi/chi go-chi	>= 5.2.2, < 5.2.3	v5.2.3

Attribute	Detail
CWE ID	CWE-601
Attack Vector	Network (AV:N)
CVSS Score	4.7 (Medium)
Complexity	Low (AC:L)
Privileges	None (PR:N)
User Interaction	Required (UI:R)
Patch Status	Available

MITRE ATT&CK Mapping

T1204.001User Execution: Malicious Link

Execution

T1018Remote System Discovery

Discovery

CWE-601

Open Redirect

URL Redirection to Untrusted Site ('Open Redirect')

Known Exploits & Detection

Manualcurl -I localhost:8080/%5Cevil.com/

NucleiDetection Template Available

Vulnerability Timeline

Vulnerability identified and patched in go-chi

2026-01-14

GHSA-mqqf-5wvp-8fh8 published

2026-01-14