Cross-Origin Request Bypass in Go Programming Language by Google
CVE-2025-47910

5.4MEDIUM

Key Information:

Vendor: Go Standard Library
Status: Net/http
Vendor: CVE Published:; 22 September 2025

🔔 Create Go Standard Library Vulnerability Alert

What is CVE-2025-47910?

A vulnerability exists in the Go programming language's CrossOriginProtection feature where the AddInsecureBypassPattern method can unintentionally allow more requests to bypass security validation than intended. Consequently, CrossOriginProtection can skip essential validation, forwarding the request path to a different handler, which may lack the necessary security measures, posing potential risks to applications relying on this functionality.

Affected Version(s)

net/http 1.25.0 < 1.25.1

References

https://go.dev/cl/699275

https://go.dev/issue/75054

https://groups.google.com/g/golang-announce/c/PtW9VW21NPs...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 22, 2025
Vulnerability Reserved
May 13, 2025

JSON