Vulnerability Report: GO-2024-2813

GHSA-vhxv-fg4m-p2w8
Affects: github.com/jub0bs/cors
Published: May 21, 2024

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patterns "https://foo.com" and "https://bar.com" (in that order) would yield a middleware that would incorrectly allow untrusted origin "https://barfoo.com".

For detailed information about this vulnerability, visit https://github.com/jub0bs/cors/security/advisories/GHSA-vhxv-fg4m-p2w8.

Affected Packages

Path

Go Versions

Symbols
github.com/jub0bs/cors/internal/origins/radix

before v0.1.3
- Tree.Contains
- Tree.Insert

Aliases

GHSA-vhxv-fg4m-p2w8

References

https://github.com/jub0bs/cors/security/advisories/GHSA-vhxv-fg4m-p2w8
https://github.com/jub0bs/cors/commit/63900fa1776237095fa0ed47ff85791e21f3a7d7
https://vuln.go.dev/ID/GO-2024-2813.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL