Headline
GHSA-vh9x-phq6-fx54: Duplicate Advisory: Denial of service via malicious preflight requests in github.com/rs/cors
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mh55-gqvf-xfwm. This link is maintained to preserve external references.
Original Description
Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-vh9x-phq6-fx54
Duplicate Advisory: Denial of service via malicious preflight requests in github.com/rs/cors
Low severity GitHub Reviewed Published Aug 6, 2025 to the GitHub Advisory Database • Updated Aug 6, 2025
Withdrawn This advisory was withdrawn on Aug 6, 2025
Package
gomod github.com/rs/cors (Go)
Affected versions
>= 1.9.0, < 1.11.0
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-mh55-gqvf-xfwm. This link is maintained to preserve external references.
Original Description
Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-47908
- rs/cors#170
- rs/cors#171
- https://pkg.go.dev/vuln/GO-2024-2883
Published by the National Vulnerability Database
Aug 6, 2025
Published to the GitHub Advisory Database
Aug 6, 2025