CVE-2025-47908

NameCVE-2025-47908
DescriptionMiddleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-rs-cors (PTS)bullseye1.7.0-2fixed
forky, sid, bookworm, trixie1.7.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-rs-corssource(unstable)(not affected)

Notes

- golang-github-rs-cors <not-affected> (Vulnerable code introduced later)
https://github.com/advisories/GHSA-mh55-gqvf-xfwm
https://github.com/rs/cors/issues/170
https://github.com/rs/cors/pull/171
Fixed by: https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2 (v1.11.0)
Search for package or bug name: Reporting problems