Cross-Origin Request Bypass in Go Programming Language by Google
CVE-2025-47910

5.4MEDIUM

Key Information:

Status
Vendor
CVE Published:
22 September 2025

What is CVE-2025-47910?

A vulnerability exists in the Go programming language's CrossOriginProtection feature where the AddInsecureBypassPattern method can unintentionally allow more requests to bypass security validation than intended. Consequently, CrossOriginProtection can skip essential validation, forwarding the request path to a different handler, which may lack the necessary security measures, posing potential risks to applications relying on this functionality.

Affected Version(s)

net/http 1.25.0 < 1.25.1

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.