CVE-2025-47910

CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http

CVSS 5.4 MEDIUMEPSS 0.3%

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.4EPSS 0.3%KEV nãoPoC —Patch —

Ciclo de vida

22 set 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Produtos afetados

Go standard library · net/http

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://go.dev/cl/699275 https://go.dev/issue/75054 https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ https://pkg.go.dev/vuln/GO-2025-3955