logo

Database

Asymmetric denial of service In github.com/rs/cors

Description

Duplicate Advisory: Denial of service via malicious preflight requests in github.com/rs/cors

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-mh55-gqvf-xfwm. This link is maintained to preserve external references.

Original Description

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. NVD-2025-479082. GCVE-GHSA-vh9x-phq6-fx54

References

1. https://github.com/rs/cors/issues/1702. https://github.com/rs/cors/pull/1713. https://pkg.go.dev/vuln/GO-2024-2883

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.