Fluid Attacks Database

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	golang-1.25	=1.25.0-1 \|\| =1.25.0-2 \|\| >=0 <1.25.1-1	1.25.1-1
go	stdlib	>=1.25.0 <1.25.1	1.25.1
rpm rhel10	bootc-image-builder	-	-
rpm rhel9	buildah	-	-
rpm rhel9	opentelemetry-collector	-	-
rpm rhel10	osbuild-composer	-	-
rpm rhel8	osbuild-composer	-	-
rpm rhel10	podman	-	-
rpm rhel8	podman	-	-
rpm rhel9	podman	-	-

1-10 of 57

Aliases

1. CVE-2025-479102. NVD-2025-479103. OSV-DEBIAN-2025-479104. OSV-2025-479105. OSV-GO-2025-39556. GCVE-2025-479107. SECURITY-TRACKER-CVE-2025-47910

References

1. https://go.dev/cl/6992752. https://go.dev/issue/750543. https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.