CVE-2025-47910
Published: September 4, 2025Last modified: September 10, 2025
Description
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.4 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | REQUIRED |
| Scope | UNCHANGED |
| Confidentiality | LOW |
| Integrity impact | LOW |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N |
Notes
https://github.com/golang/go/issues/75054 net/http: `CrossOriginProtection` insecure bypass patterns not limited to exact matches Introduced in 1.25. Alpine's tagging of 1.24.7 secfixes seems to be a mistake (the release announcement from Go team is very awkwardly worded). Corrected in https://gitlab.alpinelinux.org/alpine/aports/-/commit/33a43cf6
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | Stream | go | Fixed (1.25.1-r0) |
| Hardened Containers | Stream | go | Fixed (1.25.1-r0) |