GHSA-vhj5-x93p-67jw: actix-web-lab has host header poisoning in redirect middleware can generate attacker-controlled absolute redirects

March 11, 2026

actix-web-lab redirect middleware uses request-derived host information to construct absolute redirect URLs (for example, https://{hostname}{path}). In deployments without strict host allowlisting, an attacker can supply a malicious Host header and poison the Location response header, causing open redirect/phishing behavior.

References

github.com/advisories/GHSA-vhj5-x93p-67jw
github.com/robjtede/actix-web-lab
github.com/robjtede/actix-web-lab/commit/142c28b82eb59b67445a859a2a9b75e01a9964ee
github.com/robjtede/actix-web-lab/pull/292
github.com/robjtede/actix-web-lab/security/advisories/GHSA-vhj5-x93p-67jw

Code Behaviors & Features

Detect and mitigate GHSA-vhj5-x93p-67jw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →