Fedora Account System
Red Hat Associate
Red Hat Customer
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.
Note: this is fixed in Golang 1.24.7 and 1.25.1 (https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ). A mass-rebuild of the packages listed in blocking bugs will fix this.
Other aliases for this are GHSA-8pjc-487g-w6p2 and GO-2025-3955: https://github.com/advisories/GHSA-8pjc-487g-w6p2 https://pkg.go.dev/vuln/GO-2025-3955
(In reply to Dominik 'Rathann' Mierzejewski from comment #1) > Note: this is fixed in Golang 1.24.7 and 1.25.1 > (https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ). > A mass-rebuild of the packages listed in blocking bugs will fix this. Yes, this fixed in Go version 1.25.1: https://github.com/golang/go/commit/b1959cf6f7673eaffa89bbdb00e68b30cde3aa8a ... but is it really "fixed" in 1.24.7? I think that release announcement is misleading. This is only fixed in Go 1.25.1, because the problem doesn't affect anything older than Go 1.25.0: https://pkg.go.dev/vuln/GO-2025-3955 The Git commits in the release-branch.go1.24 branch confirm this: https://github.com/golang/go/commits/release-branch.go1.24/ If that's true then Fedora 41 and 42 are unaffected by this because they only have Go 1.24.7: https://koji.fedoraproject.org/koji/packageinfo?packageID=16224
EPEL9 packages built with Go 1.24.6 are not affected, either.