Vulnerability Report: GO-2024-2604

CVE-2024-27302, GHSA-fgxv-gw55-r5fq
Affects: github.com/zeromicro/go-zero
Published: Mar 11, 2024
Modified: May 20, 2024

The CORS Filter feature in go-zero allows users to specify an array of domains allowed in the CORS policy. However, the isOriginAllowed function uses strings.HasSuffix to check the origin, which can lead to a bypass via a domain like "evil-victim.com". This vulnerability is capable of breaking CORS policy and thus allowing any page to make requests and retrieve data on behalf of other users.

For detailed information about this vulnerability, visit https://github.com/zeromicro/go-zero/security/advisories/GHSA-fgxv-gw55-r5fq.

Affected Packages

Path

Go Versions

Symbols
github.com/zeromicro/go-zero/rest/internal/cors

before v1.4.4
1 unexported affected symbols
- isOriginAllowed

Aliases

CVE-2024-27302
GHSA-fgxv-gw55-r5fq

References

https://github.com/zeromicro/go-zero/security/advisories/GHSA-fgxv-gw55-r5fq
https://github.com/zeromicro/go-zero/commit/d9d79e930dff6218a873f4f02115df61c38b15db
https://vuln.go.dev/ID/GO-2024-2604.json

Credits

cokeBeer

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL