CVE-2018-20744
Description
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Go CORS handler through 1.3.0 reflects arbitrary Origin values when configured with *, violating CORS spec and potentially enabling unauthorized cross-origin access.
Vulnerability
The Olivier Poitrey Go CORS handler library (rs/cors) through version 1.3.0 contains a security flaw where configuring Access-Control-Allow-Origin to * (wildcard) causes the handler to actively reflect any arbitrary Origin header value from the request, rather than respecting the standard behavior. This misbehavior goes against the CORS specification, which dictates that * should match any origin without reflecting it. The library prints a warning but still performs the reflection. [2][3]
Exploitation
An attacker can send a request with a crafted Origin header (e.g., https://attacker.com) to a server using the vulnerable library with a wildcard CORS policy. The server will include that arbitrary origin in the Access-Control-Allow-Origin response header. No authentication or special privileges are required; the attacker only needs to be able to send HTTP requests to the target server.
Impact
By reflecting an arbitrary origin, the server effectively allows any website to make cross-origin requests to it. This can lead to unauthorized data access or actions on behalf of users if the server relies on CORS for security. In the presence of credentials (e.g., cookies), the impact amplifies because the browser will enforce the reflected origin, potentially enabling cross-origin read or write attacks. [3]
Mitigation
The issue was fixed in the rs/cors library by pull request #57, which made the * behavior standards-compliant. Users should upgrade to a version after 1.3.0 (the fixed version is not explicitly stated, but the PR was merged). Alternatively, users can avoid using the * wildcard and instead explicitly list allowed origins. [4]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gofiber/fiber/v2Go | >= 2.0.0, < 2.43.0 | 2.43.0 |
github.com/rs/corsGo | < 1.5.0 | 1.5.0 |
Affected products
3- ghsa-coords2 versions
>= 2.0.0, < 2.43.0+ 1 more
- (no CPE)range: >= 2.0.0, < 2.43.0
- (no CPE)range: < 1.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-927h-x4qj-r242ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-20744ghsaADVISORY
- www.securityfocus.com/bid/106834mitrevdb-entryx_refsource_BID
- github.com/gofiber/fiber/issues/2338ghsaWEB
- github.com/gofiber/fiber/pull/2339ghsaWEB
- github.com/rs/cors/issues/55ghsax_refsource_MISCWEB
- github.com/rs/cors/pull/57ghsaWEB
- web.archive.org/web/20200227091122/http://www.securityfocus.com/bid/106834ghsaWEB
- www.usenix.org/system/files/conference/usenixsecurity18/sec18-chen.pdfghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.