CVE-2025-47910

Vulnerability

Description

The AddInsecureBypassPattern method of http.CrossOriginProtection in Go 1.25 is intended to allow specific request paths to bypass cross-origin protection checks. However, due to an internal implementation detail, patterns are matched using an internal ServeMux which redirects slash-less requests to their trailing-slash equivalents. As a result, a bypass pattern like /hello/ also matches requests to /hello, causing the protection to be skipped for both paths [1].

Exploitation

Conditions

An attacker can exploit this by crafting a cross-origin request (e.g., with Sec-Fetch-Site: cross-site and a valid Origin header) to a path that would normally be protected but for which a bypass pattern is configured for a similar, redirectable path. The internal ServeMux treats /hello as matching /hello/ for the bypass check, but the downstream handler still receives the original path /hello, thus serving the request without cross-origin validation. No authentication or special network position is required beyond the ability to send such cross-origin requests to the server [1][3].

Impact

A successful bypass allows cross-origin requests to reach handlers that were expected to be protected by CrossOriginProtection. Depending on the handler logic, this could lead to unintended data exposure or state-changing operations, as the request is processed without the intended security checks. The severity is rated Medium (CVSS 5.4), reflecting the requirement that a specific bypass pattern must be configured for exploitation [1][2].

Mitigation

This vulnerability is fixed in Go versions 1.25.1 and 1.24.7, released on September 3, 2025 [3]. Users should upgrade to one of these releases. There is no documented workaround; avoiding trailing-slash patterns in AddInsecureBypassPattern may reduce risk but not eliminate it completely, so upgrading is strongly recommended.