GSA_kwCzR0hTQS1taDU1LWdxdmYteGZ3bc4AA9m0

Moderate

Permalink JSON

Denial of service via malicious preflight requests in github.com/rs/cors

Affected Packages	Affected Versions	Fixed Versions
go:github.com/rs/cors	>= 1.9.0, < 1.11.0	1.11.0
11,242 Dependent packages 27,043 Dependent repositories Affected Version Ranges All affected versions 1.9.0, 1.10.0, 1.10.1 All unaffected versions 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.11.0, 1.11.1

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

References:

https://github.com/rs/cors/issues/170
https://github.com/rs/cors/pull/171
https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2
https://github.com/advisories/GHSA-mh55-gqvf-xfwm

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories

GSA_kwCzR0hTQS1taDU1LWdxdmYteGZ3bc4AA9m0

Denial of service via malicious preflight requests in github.com/rs/cors

Affected Version Ranges

All affected versions

All unaffected versions

Identifiers

Risk

Severity

Classification

Source

Origin

Repository

Date and time

Published

Updated

API