CVE-2025-47908 | THREATINT

Description

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

PUBLISHED Reserved 2025-05-13 | Published 2025-08-06 | Updated 2025-08-07 | Assigner Go

Problem types

CWE-1325: Improperly Controlled Sequential Memory Allocation

Product status

Default status

unaffected

1.9.0 (semver) before 1.11.0

affected

Credits

@jub0bs

References

github.com/rs/cors/pull/171

github.com/rs/cors/issues/170

pkg.go.dev/vuln/GO-2024-2883

cve.org (CVE-2025-47908)

nvd.nist.gov (CVE-2025-47908)

Download JSON