CVE-2025-47908 — Denial of service via malicious preflight requests in github.com/rs/cors

描述

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

如何修補 CVE-2025-47908

要修補 CVE-2025-47908,請將受影響套件升級到下列已修補版本。

Go/github.com/rs/cors—升級至 1.11.0 或更新版本
Go/github.com/rs/cors—升級至 1.11.0 或更新版本

CVE-2025-47908 正在被利用嗎?

低 — EPSS 為 0.4%,目前沒有觀察到大規模利用活動。

受影響套件(2)

>= 1.9.0, < 1.11.0
>= 1.9.0, < 1.11.0

參考連結(6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-47908
PATCHgithub.com/rs/cors
WEBgithub.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2
WEBgithub.com/rs/cors/issues/170
WEBgithub.com/rs/cors/pull/171