GHSA-mh55-gqvf-xfwm

Suggest an improvement
Source
https://github.com/advisories/GHSA-mh55-gqvf-xfwm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-mh55-gqvf-xfwm/GHSA-mh55-gqvf-xfwm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mh55-gqvf-xfwm
Aliases
Related
Published
2024-07-05T19:42:48Z
Modified
2025-08-06T22:10:52Z
Summary
Denial of service via malicious preflight requests in github.com/rs/cors
Details

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

Database specific 
{
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-770"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2024-07-05T19:42:48Z"
}
References

Affected packages

Go / github.com/rs/cors

Package

Name
github.com/rs/cors
View open source insights on deps.dev
Purl
pkg:golang/github.com/rs/cors

Affected ranges

Type
SEMVER
Events
Introduced
1.9.0
Fixed
1.11.0