CrossOriginProtection insecure bypass patterns not limited to exact matches in net/http

GO-2025-3955 · BIT-golang-2025-47910 · CVE-2025-47910

Published Sep 22, 2025 · Modified May 15, 2026

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

References

FIX https://go.dev/cl/699275
REPORT https://go.dev/issue/75054
WEB https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes