CVE-2025-47910

CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http

CVSS 5.4 MEDIUMEPSS 0.3%

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.4EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

22 sep 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Productos afectados

Go standard library · net/http

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://go.dev/cl/699275 https://go.dev/issue/75054 https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ https://pkg.go.dev/vuln/GO-2025-3955