CVE-2019-25211

EUVD-2024-1974
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA-ADPADP
9.1 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
Debian logo
Debian Releases
Debian Product
Codename
golang-github-gin-contrib-cors
bookworm
no-dsa
bullseye
no-dsa
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-gin-contrib-cors
focal
needs-triage
jammy
needs-triage
mantic
ignored
noble
needs-triage
Common Weakness Enumeration
References
https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d
https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0
https://github.com/gin-contrib/cors/pull/106
https://github.com/gin-contrib/cors/pull/57
https://github.com/gin-contrib/cors/releases/tag/v1.6.0
https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d
https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0
https://github.com/gin-contrib/cors/pull/106
https://github.com/gin-contrib/cors/pull/57
https://github.com/gin-contrib/cors/releases/tag/v1.6.0
https://lists.debian.org/debian-lts-announce/2025/08/msg00024.html