| id: GO-2025-3955 |
| modules: |
| - module: std |
| versions: |
| - introduced: 1.25.0 |
| - fixed: 1.25.1 |
| vulnerable_at: 1.25.0 |
| packages: |
| - package: net/http |
| symbols: |
| - CrossOriginProtection.AddInsecureBypassPattern |
| summary: CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http |
| description: |- |
| When using http.CrossOriginProtection, the AddInsecureBypassPattern method can |
| unexpectedly bypass more requests than intended. CrossOriginProtection then |
| skips validation, but forwards the original request path, which may be served by |
| a different handler without the intended security protections. |
| cves: |
| - CVE-2025-47910 |
| references: |
| - fix: https://go.dev/cl/699275 |
| - report: https://go.dev/issue/75054 |
| - web: https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ |
| cve_metadata: |
| id: CVE-2025-47910 |
| cwe: 'CWE-284: Improper Access Control' |
| source: |
| id: go-security-team |
| created: 2025-09-22T18:22:01.351822759Z |
| review_status: REVIEWED |
