{"id":"CVE-2025-47910","details":"When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.","aliases":["BIT-golang-2025-47910","GO-2025-3955"],"modified":"2026-03-23T05:02:08.690794675Z","published":"2025-09-22T21:15:59Z","related":["CGA-5whr-7566-g2wp","SUSE-SU-2025:03200-1","SUSE-SU-2025:03524-1","SUSE-SU-2025:03525-1","SUSE-SU-2025:21192-1","SUSE-SU-2025:3799-1","SUSE-SU-2026:0297-1","SUSE-SU-2026:0298-1","openSUSE-SU-2025:15525-1","openSUSE-SU-2025:15574-1","openSUSE-SU-2025:20157-1"],"references":[{"type":"WEB","url":"https://go.dev/cl/699275"},{"type":"WEB","url":"https://go.dev/issue/75054"},{"type":"WEB","url":"https://groups.google.com/g/golang-announce/c/PtW9VW21NPs/m/DJhMQ-m5AQAJ"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2025-3955"}],"schema_version":"1.7.3"}