Headline
GHSA-vhxv-fg4m-p2w8: Some CORS middleware allow untrusted origins
Impact
Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.
For example, specifying origin patterns https://foo.com
and https://bar.com
(in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com
.
Patches
Patched in v0.1.3.
Workarounds
None.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-vhxv-fg4m-p2w8
Some CORS middleware allow untrusted origins
Critical severity GitHub Reviewed Published May 2, 2024 in jub0bs/cors • Updated May 3, 2024
Package
gomod github.com/jub0bs/cors (Go)
Affected versions
< 0.1.3
Impact
Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.
For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.
Patches
Patched in v0.1.3.
Workarounds
None.
References
- GHSA-vhxv-fg4m-p2w8
- jub0bs/cors@5bc0648
Published to the GitHub Advisory Database
May 3, 2024