CVE-2019-25211
CORS Misconfiguration vulnerability in cors (Go)
What is CVE-2019-25211 About?
Gin-Gonic CORS middleware before 1.6.0 mishandles wildcards in origin strings, allowing broader access than intended. This misconfiguration constitutes a security vulnerability, potentially allowing unauthorized cross-origin requests.
Affected Software
- github.com/gin-contrib/cors
- <1.6.0
- github.com/gin-gonic/gin
- <1.6.0
Technical Details
The Gin-Gonic CORS middleware, in versions prior to 1.6.0, contains a flaw in its parseWildcardRules function. This function is responsible for processing and validating origin strings with wildcard characters for Cross-Origin Resource Sharing (CORS) policies. The vulnerability arises because the middleware mishandles a wildcard character (*) when it appears at the end of an origin string. For example, if a developer intends to allow access only from https://example.com/* (meaning subdomains of example.com, or specific paths under example.com, etc.), the parsing error allows broader access, such as accepting https://example.community/*. Similarly, http://localhost.example.com/* might be accepted instead of the intended http://localhost/*. This leads to a bypass of the intended CORS policy, allowing unauthorized domains to make cross-origin requests.
What is the Impact of CVE-2019-25211?
Successful exploitation may allow attackers to bypass CORS policies, making unauthorized cross-origin requests, potentially leading to data theft, session hijacking, or other client-side attacks.
What is the Exploitability of CVE-2019-25211?
Exploitation of this CORS misconfiguration vulnerability involves an attacker hosting malicious content on a domain that would normally be blocked by a correctly configured CORS policy. The attacker anticipates that the parseWildcardRules flaw will allow their origin to be accepted. The complexity is low, as it primarily requires understanding the misconfiguration and crafting a request from an unexpected origin. No authentication to the target application is strictly required to attempt the cross-origin request. This is a remote, client-side vulnerability, where the client's browser (or other CORS-compliant agent) would make the request. The likelihood of exploitation is increased when applications rely on wildcard matching for CORS and use the vulnerable Gin-Gonic middleware, as attackers can attempt requests from a wide range of domains.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-25211?
About the Fix from Resolved Security
Available Upgrade Options
- github.com/gin-gonic/gin
- <1.6.0 → Upgrade to 1.6.0
- github.com/gin-contrib/cors
- <1.6.0 → Upgrade to 1.6.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/gin-contrib/cors/pull/57
- https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d
- https://nvd.nist.gov/vuln/detail/CVE-2019-25211
- https://github.com/gin-contrib/cors/releases/tag/v1.6.0
- https://github.com/gin-contrib/cors/pull/57
- https://github.com/gin-contrib/cors/pull/57
- https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0
- https://github.com/gin-contrib/cors/pull/106
- https://github.com/gin-gonic/gin
- https://osv.dev/vulnerability/GO-2024-2955
What are Similar Vulnerabilities to CVE-2019-25211?
Similar Vulnerabilities: CVE-2017-1000481 , CVE-2018-1000858 , CVE-2020-15095 , CVE-2021-39148 , CVE-2022-2970
