Impact
An attacker-controlled redirect_to parameter in Gogs redirects users to arbitrary external URLs, enabling phishing or malicious site visits. The flaw arises because the IsSameSite function only checks the first two characters of the URL, allowing directory traversal and backslashes to bypass validation. This weakness is categorized as CWE‑601 and can compromise user trust without giving the attacker direct code execution.
Affected Systems
All Gogs installations prior to version 0.14.3 are affected. The vulnerability impacts all redirects that use the redirect_to parameter and are validated through the vulnerable IsSameSite function.
Risk and Exploitability
The CVSS score of 5.4 indicates moderate severity, and the EPSS score is not available, meaning no current data on exploitation likelihood. The issue is not listed in CISA KEV. Attackers can exploit the flaw by crafting URLs with manipulated redirect_to values that bypass validation, redirecting victims to malicious sites. No authentication or privileged access is required, making the attack vector relatively low effort.
OpenCVE Enrichment
Github GHSA