diff --git a/core/core.services.yml b/core/core.services.yml
index bf21661..84e1059 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -1010,6 +1010,10 @@ services:
     arguments: ['@url_generator', '@router.request_context']
     tags:
       - { name: event_subscriber }
+  redirect_leading_slashes:
+    class: Drupal\Core\EventSubscriber\RedirectLeadingSlashes
+    tags:
+      - { name: event_subscriber }
   request_close_subscriber:
     class: Drupal\Core\EventSubscriber\RequestCloseSubscriber
     tags:
diff --git a/core/lib/Drupal/Core/EventSubscriber/RedirectLeadingSlashes.php b/core/lib/Drupal/Core/EventSubscriber/RedirectLeadingSlashes.php
new file mode 100644
index 0000000..593eaed
--- /dev/null
+++ b/core/lib/Drupal/Core/EventSubscriber/RedirectLeadingSlashes.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ * @file
+ * Contains \Drupal\Core\EventSubscriber\RedirectLeadingSlashes.
+ */
+
+namespace Drupal\Core\EventSubscriber;
+
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+
+/**
+ * Redirects paths starting with multiple slashes to a single slash.
+ */
+class RedirectLeadingSlashes implements EventSubscriberInterface {
+
+  /**
+   * Redirects paths starting with multiple slashes to a single slash.
+   *
+   * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
+   *   The GetResponseEvent to process.
+   */
+  public function redirect(GetResponseEvent $event) {
+    $request = $event->getRequest();
+    $request_uri = $request->getRequestUri();
+    // It is impossible to create a link or a route to a path starting with
+    // leading slashes. However if a form is added to the 404 page that submits
+    // back to the same URI this presents an open redirect vulnerability.
+    if (strpos($request_uri, '//') === 0) {
+      $request_uri = '/' . ltrim($request_uri, '/');
+      $event->setResponse(new RedirectResponse($request->getUriForPath($request_uri)));
+    }
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  static function getSubscribedEvents() {
+    $events[KernelEvents::REQUEST][] = ['redirect', 1000];
+    return $events;
+  }
+
+}
diff --git a/core/modules/system/src/Tests/Routing/RouterTest.php b/core/modules/system/src/Tests/Routing/RouterTest.php
index f79cc5f..e8a46ff 100644
--- a/core/modules/system/src/Tests/Routing/RouterTest.php
+++ b/core/modules/system/src/Tests/Routing/RouterTest.php
@@ -10,6 +10,7 @@
 use Drupal\Core\Cache\Cache;
 use Drupal\Core\Language\LanguageInterface;
 use Drupal\simpletest\WebTestBase;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Routing\Exception\RouteNotFoundException;
 
 /**
@@ -248,4 +249,22 @@ public function testRouterUninstallInstall() {
     $route = \Drupal::service('router.route_provider')->getRouteByName('router_test.1');
     $this->assertNotNull($route, 'Route exists after module installation');
   }
+
+  /**
+   * Ensure that multiple leading slashes are redirected.
+   */
+  public function testLeadingSlashes() {
+    $request = $this->container->get('request_stack')->getCurrentRequest();
+    $url = $request->getUriForPath('//router_test/test1');
+    $this->drupalGet($url);
+    $this->assertEqual(1, $this->redirectCount, $url . " redirected to " . $this->url);
+    $this->assertUrl($this->container->get('url_generator')->generateFromPath('router_test/test1'));
+
+    // It should not matter how many leading slashes are used.
+    $url = $request->getUriForPath('/////////////////////////////////////////////////router_test/test1');
+    $this->drupalGet($url);
+    $this->assertEqual(1, $this->redirectCount, $url . " redirected to " . $this->url);
+    $this->assertUrl($this->container->get('url_generator')->generateFromPath('router_test/test1'));
+  }
+
 }