GO-2025-3955

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2025-3955

Import Source

https://vuln.go.dev/ID/GO-2025-3955.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2025-3955

Aliases

Published

2025-09-22T20:48:35Z

Modified

2025-09-24T23:41:28.146106Z

Summary

CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http

Details

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2025-3955",
    "review_status": "REVIEWED"
}

References

Affected packages

Go / stdlib

Package

Name: stdlib; View open source insights on deps.dev
Purl: pkg:golang/stdlib

Affected ranges

Type: SEMVER
Events: Introduced

1.25.0

Fixed

1.25.1

Ecosystem specific

{
    "imports": [
        {
            "path": "net/http",
            "symbols": [
                "CrossOriginProtection.AddInsecureBypassPattern"
            ]
        }
    ]
}