CVE-2019-25211
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
CVE Program Container
Additional References
- https://github.com/gin-contrib/cors/pull/57
- https://github.com/gin-contrib/cors/pull/106
- https://github.com/gin-contrib/cors/compare/v1.5.0…v1.6.0
- https://github.com/gin-contrib/cors/releases/tag/v1.6.0
- https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d
- https://lists.debian.org/debian-lts-announce/2025/08/msg00024.html
References
- https://github.com/gin-contrib/cors/pull/57
- https://github.com/gin-contrib/cors/pull/106
- https://github.com/gin-contrib/cors/compare/v1.5.0…v1.6.0
- https://github.com/gin-contrib/cors/releases/tag/v1.6.0
- https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.