Bug 2397528 (CVE-2025-47910)

Summary: CVE-2025-47910 net/http: CrossOriginProtection bypass in net/http
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abarbaro, abrianik, adistefa, akostadi, akoudelk, alcohan, amasferr, amctagga, anjoseph, anpicker, ansmith, anthomas, aoconnor, asatyam, bdettelb, bkabrda, bniver, bparees, brainfor, cbartlet, chfoley, ckandaga, cmah, crizzo, debarshir, dhanak, diagrawa, dmayorov, doconnor, drosa, dsimansk, dymurray, eaguilar, ebaron, eglynn, ehelms, fdeutsch, flucifre, ggainey, ggrzybek, gmeno, gparvin, haoli, hasun, hkataria, ibolton, jaharrin, jajackso, jbalunas, jburrell, jcammara, jcantril, jchui, jeder, jfula, jhe, jjoyce, jkoehler, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jolong, jowilson, jprabhak, jschluet, jscholz, juwatts, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lball, lbragsta, lchilton, ldai, lgamliel, lhh, lphiri, lsharar, lsvaty, lucarval, mabashia, manissin, matzew, mbenjamin, mbocek, mburns, mgarciac, mhackett, mhulan, mkudlej, mmakovy, mnovotny, mrunge, mwringe, nboldt, ngough, nmoumoul, nyancey, ometelka, oramraz, osousa, owatkins, pahickey, parichar, pbraun, pcreech, peholase, pgaikwad, pgrist, pjindal, psrna, ptisnovs, pvasanth, rchan, rfreiman, rhaigner, rjohnson, rojacob, sabiswas, sakbas, sausingh, sdawley, sfeifer, shvarugh, simaishi, slucidi, smallamp, smcdonal, smullick, sostapov, sseago, stcannon, stirabos, swoodman, syedriko, tasato, teagle, tfister, thason, thavo, tjochec, tmalecek, vereddy, veshanka, vimartin, wenshen, whayutin, wtam, xdharmai, xiyuan, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A CrossOriginProtection bypass has been discovered in the golang net/http package. When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2398284, 2398285, 2398286, 2398289, 2398290, 2398291, 2398293, 2398294, 2398295, 2398296, 2398297, 2398298, 2398299, 2398300, 2398301, 2398303, 2398304, 2398307, 2398308, 2398312, 2398313, 2398315, 2398316, 2398319, 2398320, 2398321, 2398322, 2398323, 2398324, 2398325, 2398326, 2398329, 2398330, 2398331, 2398333, 2398334, 2398335, 2398339, 2398340, 2398341, 2398342, 2398343, 2398345, 2398346, 2398348, 2398349, 2398350, 2398351, 2398352, 2398353, 2398354, 2398355, 2398356, 2398357, 2398358, 2398359, 2398360, 2398362, 2398364, 2398365, 2398366, 2398367, 2398370, 2398371, 2398372, 2398373, 2398376, 2398377, 2398378, 2398379, 2398380, 2398381, 2398638, 2398639, 2398640, 2398641, 2398643, 2398647, 2398648, 2398650, 2398651, 2398652, 2398653, 2398658, 2398659, 2398660, 2398665, 2398666, 2398667, 2398668, 2398669, 2398670, 2398671, 2398672, 2398673, 2398675, 2398676, 2398677, 2398680, 2398681, 2398682, 2398683, 2398685, 2398686, 2398688, 2398689, 2398690, 2398692, 2398694, 2398695, 2398696, 2398697, 2398698, 2398699, 2398700, 2398701, 2398703, 2398704, 2398705, 2398706, 2398707, 2398708, 2398709, 2398710, 2398711, 2398712, 2398713, 2398714, 2398715, 2398716, 2398717, 2398719, 2398720, 2398721, 2398724, 2398726, 2398728, 2398730, 2398732, 2398733, 2398734, 2398735, 2398736, 2398737, 2398738, 2398739, 2398741, 2398742, 2398743, 2398744, 2398746, 2398747, 2398748, 2398749, 2398750, 2398751, 2398752, 2398754, 2398755, 2398756, 2398757, 2398758, 2398759, 2398760, 2398761, 2398762, 2398763, 2398764, 2398765, 2398766, 2398767, 2398769, 2398770, 2398771, 2398772, 2398773, 2398774, 2398775, 2398776, 2398777, 2398778, 2398779, 2398780, 2398781, 2398782, 2398783, 2398784, 2398785, 2398786, 2398787, 2398788, 2398789, 2398790, 2398791, 2398792, 2398793, 2398794, 2398795, 2398796, 2398797, 2398798, 2398799, 2398800, 2398801, 2398802, 2398803, 2398804, 2398805, 2398806, 2398807, 2398808, 2398809, 2398810, 2398811, 2398812, 2398813, 2398814, 2398815, 2398816, 2398817, 2398818, 2398819, 2398820, 2398821, 2398822, 2398823, 2398824, 2398825, 2398827, 2398828, 2398829, 2398830, 2398831, 2398832, 2398834, 2398835, 2398837, 2398838, 2398839, 2398840, 2398842, 2398843, 2398845, 2398846, 2398851, 2398853, 2398854, 2398855, 2398856, 2398858, 2398860, 2398862, 2398863, 2398864, 2398866, 2398867, 2398868, 2398871, 2398878, 2398880, 2398881, 2398883, 2398886, 2398888, 2398889, 2398890, 2398891, 2398893, 2398895, 2398896, 2398897, 2398899, 2398900, 2398903, 2398904, 2398905, 2398906, 2398907, 2398283, 2398287, 2398288, 2398292, 2398302, 2398305, 2398306, 2398309, 2398310, 2398311, 2398314, 2398317, 2398318, 2398327, 2398328, 2398332, 2398336, 2398337, 2398338, 2398344, 2398347, 2398361, 2398363, 2398368, 2398369, 2398374, 2398375, 2398382, 2398383, 2398384, 2398385, 2398387, 2398388, 2398389, 2398390, 2398391, 2398392, 2398393, 2398394, 2398395, 2398396, 2398397, 2398398, 2398399, 2398400, 2398401, 2398402, 2398403, 2398404, 2398405, 2398406, 2398407, 2398408, 2398409, 2398410, 2398411, 2398412, 2398413, 2398414, 2398415, 2398416, 2398417, 2398418, 2398419, 2398420, 2398421, 2398422, 2398423, 2398424, 2398425, 2398426, 2398427, 2398428, 2398429, 2398430, 2398431, 2398432, 2398433, 2398434, 2398435, 2398436, 2398437, 2398438, 2398439, 2398440, 2398441, 2398442, 2398443, 2398444, 2398445, 2398446, 2398447, 2398448, 2398449, 2398450, 2398451, 2398452, 2398453, 2398454, 2398455, 2398456, 2398457, 2398458, 2398459, 2398460, 2398461, 2398462, 2398463, 2398464, 2398465, 2398466, 2398467, 2398468, 2398469, 2398470, 2398471, 2398472, 2398473, 2398474, 2398475, 2398476, 2398477, 2398478, 2398479, 2398480, 2398481, 2398482, 2398483, 2398484, 2398485, 2398486, 2398487, 2398488, 2398489, 2398490, 2398491, 2398492, 2398493, 2398495, 2398496, 2398497, 2398498, 2398499, 2398500, 2398501, 2398502, 2398504, 2398505, 2398506, 2398507, 2398508, 2398509, 2398510, 2398511, 2398512, 2398513, 2398514, 2398515, 2398516, 2398517, 2398518, 2398519, 2398520, 2398521, 2398522, 2398523, 2398524, 2398525, 2398526, 2398527, 2398528, 2398529, 2398530, 2398531, 2398532, 2398533, 2398534, 2398535, 2398536, 2398537, 2398538, 2398539, 2398540, 2398541, 2398542, 2398543, 2398544, 2398545, 2398546, 2398547, 2398548, 2398549, 2398550, 2398551, 2398552, 2398553, 2398554, 2398555, 2398556, 2398557, 2398558, 2398559, 2398560, 2398561, 2398562, 2398563, 2398564, 2398565, 2398566, 2398567, 2398568, 2398569, 2398570, 2398571, 2398572, 2398573, 2398574, 2398575, 2398576, 2398577, 2398578, 2398579, 2398580, 2398581, 2398582, 2398583, 2398584, 2398585, 2398586, 2398587, 2398588, 2398589, 2398590, 2398591, 2398592, 2398593, 2398594, 2398595, 2398596, 2398597, 2398598, 2398599, 2398600, 2398601, 2398602, 2398603, 2398604, 2398605, 2398606, 2398607, 2398608, 2398609, 2398610, 2398611, 2398612, 2398613, 2398614, 2398615, 2398616, 2398617, 2398618, 2398619, 2398620, 2398621, 2398622, 2398623, 2398624, 2398625, 2398626, 2398627, 2398628, 2398629, 2398630, 2398631, 2398632, 2398633, 2398634, 2398635, 2398636, 2398637, 2398642, 2398644, 2398645, 2398646, 2398649, 2398654, 2398655, 2398656, 2398657, 2398661, 2398662, 2398663, 2398664, 2398674, 2398678, 2398679, 2398684, 2398687, 2398691, 2398693, 2398702, 2398718, 2398722, 2398723, 2398740, 2398753, 2398768, 2398826, 2398833, 2398836, 2398841, 2398844, 2398847, 2398848, 2398849, 2398850, 2398852, 2398857, 2398859, 2398861, 2398865, 2398869, 2398870, 2398872, 2398873, 2398874, 2398875, 2398876, 2398877, 2398879, 2398882, 2398884, 2398885, 2398887, 2398892, 2398894, 2398898, 2398901, 2398902, 2398908    
Bug Blocks:    

Description OSIDB Bzimport 2025-09-22 22:01:08 UTC 
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.
Comment 1 Dominik 'Rathann' Mierzejewski 2025-09-26 10:33:37 UTC 
Note: this is fixed in Golang 1.24.7 and 1.25.1 (https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ). A mass-rebuild of the packages listed in blocking bugs will fix this.
Comment 2 Debarshi Ray 2025-09-29 11:09:34 UTC 
Other aliases for this are GHSA-8pjc-487g-w6p2 and GO-2025-3955:
https://github.com/advisories/GHSA-8pjc-487g-w6p2
https://pkg.go.dev/vuln/GO-2025-3955
Comment 3 Debarshi Ray 2025-09-29 11:16:01 UTC 
(In reply to Dominik 'Rathann' Mierzejewski from comment #1)
> Note: this is fixed in Golang 1.24.7 and 1.25.1
> (https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ).
> A mass-rebuild of the packages listed in blocking bugs will fix this.

Yes, this fixed in Go version 1.25.1:
https://github.com/golang/go/commit/b1959cf6f7673eaffa89bbdb00e68b30cde3aa8a

... but is it really "fixed" in 1.24.7?

I think that release announcement is misleading.  This is only fixed in Go 1.25.1, because the problem doesn't affect anything older than Go 1.25.0:
https://pkg.go.dev/vuln/GO-2025-3955

The Git commits in the release-branch.go1.24 branch confirm this:
https://github.com/golang/go/commits/release-branch.go1.24/

If that's true then Fedora 41 and 42 are unaffected by this because they only have Go 1.24.7:
https://koji.fedoraproject.org/koji/packageinfo?packageID=16224
Comment 4 Dominik 'Rathann' Mierzejewski 2025-11-17 09:39:26 UTC 
EPEL9 packages built with Go 1.24.6 are not affected, either.