GO-2024-2883

See a problem?
Source
https://pkg.go.dev/vuln/GO-2024-2883
Import Source
https://vuln.go.dev/ID/GO-2024-2883.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2024-2883
Aliases
Published
2024-07-02T19:20:36Z
Modified
2024-07-09T20:29:24.588477Z
Summary
Denial of service via malicious preflight requests in github.com/rs/cors
Details

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

References
Credits
    • @jub0bs

Affected packages

Go / github.com/rs/cors

Package

Name
github.com/rs/cors
View open source insights on deps.dev
Purl
pkg:golang/github.com/rs/cors

Affected ranges

Type
SEMVER
Events
Introduced
1.9.0
Fixed
1.11.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/rs/cors",
            "symbols": [
                "AllowAll",
                "Cors.HandlerFunc",
                "Cors.ServeHTTP",
                "Cors.areHeadersAllowed",
                "Cors.handlePreflight",
                "Default",
                "New",
                "splitHeaderValues"
            ]
        }
    ]
}