Critical severity9.1OSV Advisory· Published Jun 29, 2024· Updated Apr 15, 2026
CVE-2019-25211
CVE-2019-25211
Description
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gin-gonic/ginGo | < 1.6.0 | 1.6.0 |
github.com/gin-contrib/corsGo | < 1.6.0 | 1.6.0 |
Affected products
3- Range: v1.0, v1.1, v1.2, …
- ghsa-coords2 versions
< 1.6.0+ 1 more
- (no CPE)range: < 1.6.0
- (no CPE)range: < 1.6.0
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-869c-j7wc-8jqvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-25211ghsaADVISORY
- github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850dnvdWEB
- github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0nvdWEB
- github.com/gin-contrib/cors/pull/106nvdWEB
- github.com/gin-contrib/cors/pull/57nvdWEB
- github.com/gin-contrib/cors/releases/tag/v1.6.0nvdWEB
- lists.debian.org/debian-lts-announce/2025/08/msg00024.htmlnvdWEB
News mentions
0No linked articles in our index yet.