CORS filters that use an AllowedDomains configuration parameter can match domains outside the specified set, permitting an attacker to avoid the CORS policy.
The AllowedDomains configuration parameter is documented as a list of allowed origin domains, but values in this list are applied as regular expression matches. For example, an allowed domain of "example.com" will match the Origin header "example.com.malicious.domain".
{ "review_status": "REVIEWED", "url": "https://pkg.go.dev/vuln/GO-2022-0619" }