CVE-2025-47908

Summary

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

Affected Software

VendorProductVersion RangeStatus
github.com/rs/corsgithub.com/rs/cors1.9.0 < 1.11.0affected

Weaknesses

  • CWE-1325: Improperly Controlled Sequential Memory Allocation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References