CVE-2025-47910

Sept. 22, 2025, 9:22 p.m.

None
No Score

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Product(s) Impacted

Vendor Product Versions
Golang
  • Http.crossoriginprotection
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a golang http.crossoriginprotection / / / / / / / /

References

https://go.dev/cl/699275
https://go.dev/issue/75054
https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ
https://pkg.go.dev/vuln/GO-2025-3955

Tags

security@golang.org
2025-09-22
CVE-2025-47910

Timeline

Published: Sept. 22, 2025, 9:15 p.m.
Last Modified: Sept. 22, 2025, 9:22 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security@golang.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.