Cross-Origin Request Bypass in Go Programming Language by Google
CVE-2025-47910

Currently unrated

Key Information:

Vendor: Go Standard Library
Status: Net/http
Vendor: CVE Published:; 22 September 2025

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2025-47910?

A vulnerability exists in the Go programming language's CrossOriginProtection feature where the AddInsecureBypassPattern method can unintentionally allow more requests to bypass security validation than intended. Consequently, CrossOriginProtection can skip essential validation, forwarding the request path to a different handler, which may lack the necessary security measures, posing potential risks to applications relying on this functionality.

Affected Version(s)

net/http 1.25.0 < 1.25.1

References

https://go.dev/cl/699275

https://go.dev/issue/75054

https://groups.google.com/g/golang-announce/c/PtW9VW21NPs...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 22, 2025
Vulnerability Reserved
May 13, 2025