x/vulndb: potential Go vuln in github.com/go-chi/chi: GHSA-mqqf-5wvp-8fh8

Advisory [GHSA-mqqf-5wvp-8fh8](https://github.com/advisories/GHSA-mqqf-5wvp-8fh8) references a vulnerability in the following Go modules:

| Module |
| - |
| [github.com/go-chi/chi](https://pkg.go.dev/github.com/go-chi/chi) |
| [github.com/go-chi/chi/v2](https://pkg.go.dev/github.com/go-chi/chi/v2) |
| [github.com/go-chi/chi/v3](https://pkg.go.dev/github.com/go-chi/chi/v3) |
| [github.com/go-chi/chi/v4](https://pkg.go.dev/github.com/go-chi/chi/v4) |
| [github.com/go-chi/chi/v5](https://pkg.go.dev/github.com/go-chi/chi/v5) |

Description:
### Summary

The `RedirectSlashes` function in middleware/strip.go does not perform correct input validation and can lead to an open redirect vulnerability.

### Details

The `RedirectSlashes` function performs a `Trim` to all forward slash (`/`) characters, while prepending a single one at the begining of the path (Line 52).

However, it does not trim backslashes (`\`).

```go
File: middleware/strip.go
41: func RedirectSlashes(next http.Handler) http.Handler {
...
51: 			// Trim all leading and trailing slashes (e.g., "//evil.com", "/some/path//")
52: 			path = "/" + strings.Trim(path, "/")
....

References:
- ADVISORY: https://github.com/advisories/GHSA-mqqf-5wvp-8fh8
- ADVISORY: https://github.com/go-chi/chi/security/advisories/GHSA-mqqf-5wvp-8fh8
- FIX: https://github.com/go-chi/chi/commit/6eb35881c0e438ffb663ddbad3a61babaa5e5d8a
- REPORT: https://github.com/go-chi/chi/issues/1037

Cross references:
- github.com/go-chi/chi/v5 appears in 1 other report(s):
  - data/reports/GO-2025-3770.yaml    (https://github.com/golang/vulndb/issues/3770)

See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

```
id: GO-ID-PENDING
modules:
    - module: github.com/go-chi/chi
      vulnerable_at: 1.5.5
    - module: github.com/go-chi/chi/v2
      vulnerable_at: 2.1.1
    - module: github.com/go-chi/chi/v3
      vulnerable_at: 3.3.5
    - module: github.com/go-chi/chi/v4
      vulnerable_at: 4.1.3
    - module: github.com/go-chi/chi/v5
      versions:
        - introduced: 5.2.2
        - fixed: 5.2.4
      vulnerable_at: 5.2.3
summary: chi has an open redirect vulnerability in the RedirectSlashes middleware in github.com/go-chi/chi
ghsas:
    - GHSA-mqqf-5wvp-8fh8
references:
    - advisory: https://github.com/advisories/GHSA-mqqf-5wvp-8fh8
    - advisory: https://github.com/go-chi/chi/security/advisories/GHSA-mqqf-5wvp-8fh8
    - fix: https://github.com/go-chi/chi/commit/6eb35881c0e438ffb663ddbad3a61babaa5e5d8a
    - report: https://github.com/go-chi/chi/issues/1037
source:
    id: GHSA-mqqf-5wvp-8fh8
    created: 2026-01-14T22:01:18.724614708Z
review_status: UNREVIEWED

```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

x/vulndb: potential Go vuln in github.com/go-chi/chi: GHSA-mqqf-5wvp-8fh8 #4316

Summary

Details

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

x/vulndb: potential Go vuln in github.com/go-chi/chi: GHSA-mqqf-5wvp-8fh8 #4316

Description

Summary

Details

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions