2386952 – (CVE-2025-47908) CVE-2025-47908 github.com/rs/cors: Denial of service via malicious preflight requests in github.com/rs/cors

Bug 2386952 (CVE-2025-47908) - CVE-2025-47908 github.com/rs/cors: Denial of service via malicious preflight requests in github.com/rs/cors

Summary: CVE-2025-47908 github.com/rs/cors: Denial of service via malicious preflight ...

Keywords:
Status:	NEW
Alias:	CVE-2025-47908
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2387003 2387004
Blocks:
TreeView+	depends on / blocked

Reported:	2025-08-06 21:02 UTC by OSIDB Bzimport
Modified:	2025-08-07 12:43 UTC (History)
CC List:	41 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-08-06 21:02:28 UTC

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

Note You need to log in before you can comment on or make changes to this bug.

alcohan
amctagga
anjoseph
aoconnor
bkabrda
bniver
dhanak
drosa
dsimansk
fdeutsch
flucifre
gmeno
gparvin
jkoehler
jprabhak
kingland
kverlaen
lball
lchilton
lphiri
matzew
mbenjamin
mhackett
mnovotny
mwringe
ngough
njean
oramraz
owatkins
pahickey
rhaigner
sausingh
sdawley
sfeifer
smullick
sostapov
stirabos
thason
vereddy
veshanka
wtam