CVE-2025-47910

Aliases:GO-2025-3955BIT-golang-2025-47910

Advisory lineage Upstream: 0 Downstream: 14

Downstream

DEBIAN-CVE-2025-47910 OPENSUSE-SU-2025:15525-1 OPENSUSE-SU-2025:15574-1 OPENSUSE-SU-2025:20157-1 RHSA-2026:7291 RHSA-2026:7385

Deferred

Published: 22 Sept 2025, 21:01

Last modified:24 Sept 2025, 13:29

Vulnerability Summary

Overall Risk (default)

low

22/100

CVSS Score

5.4 MEDIUM

v3.1 (cve.org)

EPSS Score

0.01% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

22 Sept 2025, 21:01

Published

Vulnerability first disclosed

24 Sept 2025, 13:29

Last Modified

Vulnerability information updated

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

CVSS Metrics

v3.1•MEDIUM•Score: 5.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.01%• Percentile: 2%

Affected Systems

go standard library•net/http
≥ 1.25.0, < 1.25.1
Go•stdlib
≥ 1.25.0, < 1.25.1