Bug 2397528 (CVE-2025-47910) - CVE-2025-47910 net/http: CrossOriginProtection bypass in net/http
Summary: CVE-2025-47910 net/http: CrossOriginProtection bypass in net/http
Keywords:
Status: NEW
Alias: CVE-2025-47910
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2398284 2398285 2398286 2398287 2398288 2398289 2398290 2398291 2398292 2398293 2398294 2398295 2398296 2398297 2398298 2398299 2398300 2398301 2398303 2398304 2398306 2398307 2398308 2398309 2398310 2398312 2398313 2398315 2398316 2398319 2398320 2398321 2398322 2398323 2398324 2398325 2398326 2398328 2398329 2398330 2398331 2398333 2398334 2398335 2398339 2398340 2398341 2398342 2398343 2398344 2398345 2398346 2398347 2398348 2398349 2398350 2398351 2398352 2398353 2398354 2398355 2398356 2398357 2398358 2398359 2398360 2398361 2398362 2398364 2398365 2398366 2398367 2398369 2398370 2398371 2398372 2398373 2398374 2398376 2398377 2398378 2398379 2398380 2398381 2398384 2398385 2398387 2398388 2398390 2398391 2398393 2398394 2398395 2398397 2398398 2398399 2398400 2398401 2398404 2398405 2398410 2398411 2398412 2398413 2398414 2398415 2398416 2398417 2398418 2398419 2398420 2398421 2398422 2398423 2398426 2398427 2398428 2398429 2398430 2398431 2398432 2398433 2398434 2398435 2398436 2398437 2398438 2398439 2398440 2398441 2398442 2398443 2398444 2398445 2398446 2398447 2398448 2398449 2398450 2398451 2398452 2398453 2398454 2398455 2398456 2398457 2398458 2398459 2398460 2398462 2398463 2398464 2398465 2398466 2398467 2398468 2398469 2398470 2398471 2398472 2398473 2398474 2398475 2398476 2398477 2398478 2398479 2398480 2398481 2398482 2398483 2398484 2398485 2398486 2398487 2398488 2398489 2398490 2398491 2398492 2398493 2398495 2398496 2398497 2398498 2398499 2398500 2398501 2398502 2398504 2398505 2398506 2398507 2398508 2398509 2398510 2398511 2398512 2398513 2398514 2398515 2398516 2398517 2398518 2398519 2398520 2398521 2398522 2398523 2398524 2398525 2398526 2398527 2398528 2398529 2398530 2398531 2398532 2398533 2398534 2398535 2398536 2398537 2398538 2398539 2398540 2398541 2398542 2398543 2398544 2398545 2398546 2398547 2398548 2398549 2398550 2398551 2398552 2398553 2398554 2398555 2398556 2398557 2398558 2398559 2398560 2398561 2398562 2398563 2398564 2398565 2398566 2398567 2398568 2398569 2398570 2398571 2398572 2398573 2398574 2398575 2398576 2398577 2398578 2398579 2398581 2398582 2398583 2398584 2398585 2398586 2398587 2398588 2398589 2398590 2398592 2398593 2398594 2398596 2398598 2398600 2398601 2398602 2398603 2398604 2398605 2398606 2398607 2398611 2398612 2398613 2398614 2398615 2398616 2398617 2398620 2398621 2398622 2398623 2398624 2398625 2398627 2398629 2398630 2398632 2398634 2398635 2398636 2398638 2398639 2398640 2398641 2398643 2398644 2398645 2398647 2398648 2398650 2398651 2398652 2398653 2398655 2398658 2398659 2398660 2398665 2398666 2398667 2398668 2398669 2398670 2398671 2398672 2398673 2398674 2398675 2398676 2398677 2398680 2398681 2398682 2398683 2398684 2398685 2398686 2398687 2398688 2398689 2398690 2398691 2398692 2398693 2398694 2398695 2398696 2398697 2398698 2398699 2398700 2398701 2398702 2398703 2398704 2398705 2398706 2398707 2398708 2398709 2398710 2398711 2398712 2398713 2398714 2398715 2398716 2398717 2398719 2398720 2398721 2398722 2398723 2398724 2398726 2398728 2398730 2398732 2398733 2398734 2398735 2398736 2398737 2398738 2398739 2398740 2398741 2398742 2398743 2398744 2398746 2398747 2398748 2398749 2398750 2398751 2398752 2398753 2398754 2398755 2398756 2398757 2398758 2398759 2398760 2398761 2398762 2398763 2398764 2398765 2398766 2398767 2398768 2398769 2398770 2398771 2398772 2398773 2398774 2398775 2398776 2398777 2398778 2398779 2398780 2398781 2398782 2398783 2398784 2398785 2398786 2398787 2398788 2398789 2398790 2398791 2398792 2398793 2398794 2398795 2398796 2398797 2398798 2398799 2398800 2398801 2398802 2398803 2398804 2398805 2398806 2398807 2398808 2398809 2398810 2398811 2398812 2398813 2398814 2398815 2398816 2398817 2398818 2398819 2398820 2398821 2398822 2398823 2398824 2398825 2398826 2398827 2398828 2398829 2398830 2398831 2398832 2398833 2398834 2398835 2398836 2398837 2398838 2398839 2398840 2398842 2398843 2398845 2398846 2398847 2398848 2398849 2398850 2398851 2398853 2398854 2398855 2398856 2398858 2398860 2398862 2398863 2398864 2398866 2398867 2398868 2398870 2398871 2398872 2398873 2398877 2398878 2398879 2398880 2398881 2398882 2398883 2398886 2398887 2398888 2398889 2398890 2398891 2398893 2398895 2398896 2398897 2398899 2398900 2398901 2398903 2398904 2398905 2398906 2398907 2398283 2398302 2398305 2398311 2398314 2398317 2398318 2398327 2398332 2398336 2398337 2398338 2398363 2398368 2398375 2398382 2398383 2398389 2398392 2398396 2398402 2398403 2398406 2398407 2398408 2398409 2398424 2398425 2398461 2398580 2398591 2398595 2398597 2398599 2398608 2398609 2398610 2398618 2398619 2398626 2398628 2398631 2398633 2398637 2398642 2398646 2398649 2398654 2398656 2398657 2398661 2398662 2398663 2398664 2398678 2398679 2398718 2398841 2398844 2398852 2398857 2398859 2398861 2398865 2398869 2398874 2398875 2398876 2398884 2398885 2398892 2398894 2398898 2398902 2398908
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-09-22 22:01 UTC by OSIDB Bzimport
Modified: 2025-09-29 11:16 UTC (History)
157 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-09-22 22:01:08 UTC 
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.
Comment 1 Dominik 'Rathann' Mierzejewski 2025-09-26 10:33:37 UTC 
Note: this is fixed in Golang 1.24.7 and 1.25.1 (https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ). A mass-rebuild of the packages listed in blocking bugs will fix this.
Comment 2 Debarshi Ray 2025-09-29 11:09:34 UTC 
Other aliases for this are GHSA-8pjc-487g-w6p2 and GO-2025-3955:
https://github.com/advisories/GHSA-8pjc-487g-w6p2
https://pkg.go.dev/vuln/GO-2025-3955
Comment 3 Debarshi Ray 2025-09-29 11:16:01 UTC 
(In reply to Dominik 'Rathann' Mierzejewski from comment #1)
> Note: this is fixed in Golang 1.24.7 and 1.25.1
> (https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ).
> A mass-rebuild of the packages listed in blocking bugs will fix this.

Yes, this fixed in Go version 1.25.1:
https://github.com/golang/go/commit/b1959cf6f7673eaffa89bbdb00e68b30cde3aa8a

... but is it really "fixed" in 1.24.7?

I think that release announcement is misleading.  This is only fixed in Go 1.25.1, because the problem doesn't affect anything older than Go 1.25.0:
https://pkg.go.dev/vuln/GO-2025-3955

The Git commits in the release-branch.go1.24 branch confirm this:
https://github.com/golang/go/commits/release-branch.go1.24/

If that's true then Fedora 41 and 42 are unaffected by this because they only have Go 1.24.7:
https://koji.fedoraproject.org/koji/packageinfo?packageID=16224
Note You need to log in before you can comment on or make changes to this bug.