{"id":"CVE-2019-25211","details":"parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.","aliases":["GHSA-869c-j7wc-8jqv","GO-2024-2955"],"modified":"2026-04-02T02:07:41.593003Z","published":"2024-06-29T00:15:02.107Z","references":[{"type":"WEB","url":"https://github.com/gin-contrib/cors/releases/tag/v1.6.0"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00024.html"},{"type":"WEB","url":"https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0"},{"type":"FIX","url":"https://github.com/gin-contrib/cors/pull/106"},{"type":"FIX","url":"https://github.com/gin-contrib/cors/pull/57"},{"type":"FIX","url":"https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gin-contrib/cors","events":[{"introduced":"0"},{"fixed":"90a7c66401d66f6c7ac120dbe1ae7b63e7e4271f"},{"fixed":"27b723a473efd80d5a498fa9f5933c80204c850d"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.6.0"}]}}],"versions":["v1.0","v1.1","v1.2","v1.3.0","v1.3.1","v1.4.0","v1.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-25211.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}