Critical severity9.1NVD Advisory· Published Jun 29, 2024· Updated Apr 15, 2026
CVE-2019-25211
CVE-2019-25211
Description
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gin-gonic/ginGo | < 1.6.0 | 1.6.0 |
github.com/gin-contrib/corsGo | < 1.6.0 | 1.6.0 |
Patches
327b723a473effixe(domain): wildcard parse bug (#106)
1 file changed · +1 −1
cors.go+1 −1 modified@@ -138,7 +138,7 @@ func (c Config) parseWildcardRules() [][]string { continue } if i == (len(o) - 1) { - wRules = append(wRules, []string{o[:i-1], "*"}) + wRules = append(wRules, []string{o[:i], "*"}) continue }
90a7c66401d61621dda317dbVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-869c-j7wc-8jqvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-25211ghsaADVISORY
- github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850dnvdWEB
- github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0nvdWEB
- github.com/gin-contrib/cors/pull/106nvdWEB
- github.com/gin-contrib/cors/pull/57nvdWEB
- github.com/gin-contrib/cors/releases/tag/v1.6.0nvdWEB
- lists.debian.org/debian-lts-announce/2025/08/msg00024.htmlnvdWEB
News mentions
0No linked articles in our index yet.