| Name | CVE-2025-47908 |
| Description | Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| golang-github-rs-cors (PTS) | bullseye | 1.7.0-2 | fixed |
| forky, sid, bookworm, trixie | 1.7.0-4 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| golang-github-rs-cors | source | (unstable) | (not affected) |
- golang-github-rs-cors <not-affected> (Vulnerable code introduced later)
https://github.com/advisories/GHSA-mh55-gqvf-xfwm
https://github.com/rs/cors/issues/170
https://github.com/rs/cors/pull/171
Fixed by: https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2 (v1.11.0)