Vulnerability Report: GO-2025-3955

standard library

CVE-2025-47910, CVE-2025-47910
Affects: net/http
Published: Sep 22, 2025

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Affected Packages

Path

Go Versions

Symbols
net/http

from go1.25.0 before go1.25.1
- CrossOriginProtection.AddInsecureBypassPattern

Aliases

CVE-2025-47910
CVE-2025-47910

References

https://go.dev/cl/699275
https://go.dev/issue/75054
https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ
https://vuln.go.dev/ID/GO-2025-3955.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL