Skip to main content

Early Access — Mondoo Vulnerability Intelligence is currently in preview.

Mondoo Vulnerability Intelligence

Curated by Mondoo Research, enhanced with AI

Resources

Search Vulnerabilities
Trending CVEs
Browse Ecosystems
Terminology
Blog

Open Source

cnquery
cnspec

Star us on GitHub!

Company

Mondoo Platform
About
Contact

© 2026 Mondoo, Inc.

Privacy Policy Terms of Service Imprint

Vulnerability Intelligence

CVE-2025-47910

MEDIUM5.4

CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http

Published Sep 22, 2025

Modified 3 months ago

No fix available

Details

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

References

WEBhttps://go.dev/cl/699275 WEBhttps://go.dev/issue/75054 WEBhttps://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ WEBhttps://pkg.go.dev/vuln/GO-2025-3955 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-47910

CVSS Analysis

CVSS v3.1

5.4

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

RequiredUI:R

Scope

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

LowI:L

Availability

NoneA:N

5.4/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Ecosystems

Timeline

PublishedSep 22, 2025

ModifiedSep 24, 2025

CVE-2025-47910 | Mondoo Vulnerability Intelligence