CVE-2025-47908

Aliases:GHSA-mh55-gqvf-xfwmGO-2024-2883

Advisory lineage Upstream: 0 Downstream: 6

Downstream

OPENSUSE-SU-2025:15424-1 SUSE-SU-2025:3817-1 SUSE-SU-2025:3819-1 SUSE-SU-2025:4457-1 SUSE-SU-2025:4481-1 UBUNTU-CVE-2025-47908

Deferred

Published: 06 Aug 2025, 20:41

Last modified:07 Aug 2025, 13:47

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.1 (cve.org)

EPSS Score

0.38% LOW

0% probability +0.27%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

06 Aug 2025, 20:41

Published

Vulnerability first disclosed

07 Aug 2025, 13:47

Last Modified

Vulnerability information updated

Description

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.38%• Percentile: 60%

Affected Systems

github.com/rs/cors•github.com/rs/cors
≥ 1.9.0, < 1.11.0
github.com/rs•cors
≥ 1.9.0, < 1.11.0