CVE-2025-47908

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/rs/cors/issues/170
https://github.com/rs/cors/pull/171
https://pkg.go.dev/vuln/GO-2024-2883

Configurations

No configuration.

History

07 Aug 2025, 14:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
Summary		(es) El middleware genera una cantidad prohibitiva de asignaciones de montón al procesar solicitudes preflight maliciosas que incluyen un encabezado ACRH (Access-Control-Request-Headers) cuyo valor contiene muchas comas. Los atacantes pueden abusar de este comportamiento para generar una carga excesiva en el middleware/servidor con el fin de provocar una denegación de servicio.

06 Aug 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-06 21:15

Updated : 2025-08-07 21:26

NVD link : CVE-2025-47908

Mitre link : CVE-2025-47908

CVE.ORG link : CVE-2025-47908

JSON object : View

Products Affected

No product.

CWE

No CWE.

7.5 /10