Headline
GHSA-v84h-653v-4pq9: Some CORS middleware allow untrusted origins
Impact
Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.
For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.
Patches
Patched in v0.9.0.
Workarounds
None.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-v84h-653v-4pq9
Some CORS middleware allow untrusted origins
Critical severity GitHub Reviewed Published May 2, 2024 in jub0bs/fcors • Updated May 3, 2024
Package
gomod github.com/jub0bs/fcors (Go)
Affected versions
<= 0.8.0
Impact
Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.
For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.
Patches
Patched in v0.9.0.
Workarounds
None.
References
- GHSA-v84h-653v-4pq9
- jub0bs/fcors@08d85c1
Published to the GitHub Advisory Database
May 3, 2024