cbcvebase.
CVE-2025-47910
published 2025-09-22

CVE-2025-47910: When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then…

PriorityP431medium5.4CVSS 3.1
AVNACLPRNUIRSUCLILAN
EPSS
0.31%
22.4th percentile
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiangolang-1.15< golang-1.25 1.25.1-1 (forky)golang-1.25 1.25.1-1 (forky)
debiangolang-1.19< golang-1.25 1.25.1-1 (forky)golang-1.25 1.25.1-1 (forky)
debiangolang-1.24< golang-1.25 1.25.1-1 (forky)golang-1.25 1.25.1-1 (forky)
debiangolang-1.25< golang-1.25 1.25.1-1 (forky)golang-1.25 1.25.1-1 (forky)
go_standard_librarynet_http>= 1.25.0 < 1.25.11.25.1

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
osv5.4MEDIUM
vendor_debian5.4LOW
vendor_redhat5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.