GHSA-vh9x-phq6-fx54

Source

https://github.com/advisories/GHSA-vh9x-phq6-fx54

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-vh9x-phq6-fx54/GHSA-vh9x-phq6-fx54.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vh9x-phq6-fx54

Withdrawn

2025-08-06T22:09:08Z

Published

2025-08-06T21:31:40Z

Modified

2025-08-06T22:09:08Z

Severity

2.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Duplicate Advisory: Denial of service via malicious preflight requests in github.com/rs/cors

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-mh55-gqvf-xfwm. This link is maintained to preserve external references.

Original Description

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

Database specific

{
    "cwe_ids": [
        "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-06T22:09:08Z",
    "nvd_published_at": "2025-08-06T21:15:29Z",
    "severity": "LOW"
}

References

Affected packages

Go / github.com/rs/cors

Package

Name: github.com/rs/cors; View open source insights on deps.dev
Purl: pkg:golang/github.com/rs/cors

Affected ranges

Type: SEMVER
Events: Introduced

1.9.0

Fixed

1.11.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-vh9x-phq6-fx54/GHSA-vh9x-phq6-fx54.json"