CVE-2025-47910 — Expected Behavior Violation in Standard Library NET Http

CWE-440 — Expected Behavior Violation8 documents7 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 98.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GO Standard Library NET Http

Timeline

PublishedSep 22

Latest updateSep 25

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

▶CVEListV5go_standard_library/net_http1.25.0 — 1.25.1

🔴Vulnerability Details

OSV

CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http↗2025-09-22

▶

CVEList

CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http↗2025-09-22

▶

OSV

CVE-2025-47910: When using http↗2025-09-22

▶

GHSA

GHSA-8pjc-487g-w6p2: When using http↗2025-09-22

▶

📋Vendor Advisories

Red Hat

net/http: CrossOriginProtection bypass in net/http↗2025-09-22

▶

Debian

CVE-2025-47910: golang-1.15 - When using http.CrossOriginProtection, the AddInsecureBypassPattern method can u...↗2025

▶

💬Community

Bugzilla

CVE-2025-47910 incus: CrossOriginProtection bypass in net/http [fedora-42]↗2025-09-25

▶