x/vulndb: potential Go vuln in github.com/rs/cors: GHSA-vh9x-phq6-fx54 #3850
Description
Advisory GHSA-vh9x-phq6-fx54 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/rs/cors |
Description:
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mh55-gqvf-xfwm. This link is maintained to preserve external references.
Original Description
Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.
References:
- ADVISORY: GHSA-vh9x-phq6-fx54
- FIX: Normalize allowed request headers and store them in a sorted set (fixes #170) rs/cors#171
- REPORT: Some malicious/spoofed preflight requests cause prohibitive load rs/cors#170
- WEB: https://nvd.nist.gov/vuln/detail/CVE-2025-47908
Cross references:
- github.com/rs/cors appears in 2 other report(s):
- data/reports/GO-2023-1792.yaml (x/vulndb: potential Go vuln in github.com/rs/cors #1792)
- data/reports/GO-2024-2883.yaml (x/vulndb: denial of service in github.com/rs/cors #2883)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/rs/cors
versions:
- introduced: 1.9.0
- fixed: 1.11.0
vulnerable_at: 1.10.1
summary: |-
Duplicate Advisory: Denial of service via malicious preflight requests in
github.com/rs/cors
ghsas:
- GHSA-vh9x-phq6-fx54
references:
- advisory: https://github.com/advisories/GHSA-vh9x-phq6-fx54
- fix: https://github.com/rs/cors/pull/171
- report: https://github.com/rs/cors/issues/170
- web: https://nvd.nist.gov/vuln/detail/CVE-2025-47908
source:
id: GHSA-vh9x-phq6-fx54
created: 2025-08-06T23:01:18.211003078Z
review_status: UNREVIEWED