fix(deps): update rust crate actix-web-lab to 0.26.0 [security]#298
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
fix(deps): update rust crate actix-web-lab to 0.26.0 [security]#298renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.20.1→0.26.0GitHub Vulnerability Alerts
GHSA-vhj5-x93p-67jw
Summary
actix-web-labredirect middleware uses request-derived host information to construct absolute redirect URLs (for example,https://{hostname}{path}). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison theLocationresponse header, causing open redirect/phishing behavior.CVE
Assigned CVE ID: CVE-2025-63762
Details
The issue is in redirect middleware paths that construct absolute URLs from
req.connection_info():actix-web-lab/src/redirect_to_https.rs(around lines 119-132)let host = conn_info.host();format!("https://{hostname}{path}")format!("https://{hostname}:{port}{path}")actix-web-lab/src/redirect_to_www.rs(around lines 30-35)format!("{scheme}://www.{host}{path}")actix-web-lab/src/redirect_to_non_www.rs(around lines 30-34)format!("{scheme}://{host_no_www}{path}")Because host values come from request connection metadata, untrusted Host input can influence redirect targets when deployment-side host validation is missing.
PoC
Environment used for validation:
actix-web-labmiddlewarehttp://127.0.0.1:18080http://127.0.0.1:18081http://127.0.0.1:18082Reproduction (RedirectHttps):
Observed response:
Additional verification:
Observed response:
Reproduction (redirect_to_www):
Observed response:
Reproduction (redirect_to_non_www):
Observed response:
Impact
This is a Host header poisoning / open redirect issue. Users can be redirected to attacker-controlled domains, enabling phishing and trust-boundary abuse. Any application using these middleware paths without strict host validation (proxy/app allowlisting) is impacted.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.