4.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32721

GHSA ID

GHSA-mj9r-wwm8-7q52

EPSS Score

0.42476%

CWE

CWE-601

Published

7/1/2021

Updated

5/30/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-32721

CVE-2021-32721: Open Redirect in github.com/AndrewBurian/powermux

Impact

Attackers may be able to craft phishing links and other open redirects by exploiting the trailing slash redirection feature. This may lead to users being redirected to untrusted sites after following an attacker crafted link.

Patches

The issue is resolved in v1.1.1

Workarounds

There are no existing workarounds. You may detect attempts to craft urls that exploit this feature by looking for request paths containing pairs of forward slashes in sequence combined with a trailing slash e.g. https://example.com//foo/

(GitHub Advisory)

4.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-32721

GHSA ID

GHSA-mj9r-wwm8-7q52

EPSS Score

0.42476%

CWE

CWE-601

Published

7/1/2021

Updated

5/30/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/AndrewBurian/powermux	go	< 1.1.1	1.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) The trailing slash redirection in ServeMux.getAll didn't validate path structure, allowing redirects from paths with double slashes. 2) Route.execute processed paths without checking for invalid consecutive slashes. The fix moved redirection logic to Route.execute and added explicit checks for '//' patterns. The removed code in servemux.go and modified logic in route.go indicate these were the vulnerable areas.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *tt**k*rs m*y ** **l* to *r**t p*is*in* links *n* ot**r op*n r**ir**ts *y *xploitin* t** tr*ilin* sl*s* r**ir**tion ***tur*. T*is m*y l*** to us*rs **in* r**ir**t** to untrust** sit*s **t*r *ollowin* *n *tt**k*r *r**t** link. ### P*t***s

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) T** tr*ilin* sl*s* r**ir**tion in `S*rv*Mux.**t*ll` *i*n't v*li**t* p*t* stru*tur*, *llowin* r**ir**ts *rom p*t*s wit* *ou*l* sl*s**s. *) `Rout*.*x**ut*` pro**ss** p*t*s wit*out ****kin* *or inv*li* *

4.7

Basic Information

Concerned about an active attack path?

CVE-2021-32721: Open Redirect in github.com/AndrewBurian/powermux

Impact

Patches

Workarounds

4.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI