CVE-2024-27302: Go-zero Auth Bypass Vulnerability

CVE-2024-27302 Overview

CVE-2024-27302 is a CORS (Cross-Origin Resource Sharing) policy bypass vulnerability in go-zero, a popular web and RPC framework written in Go. The vulnerability exists in the isOriginAllowed function which improperly validates allowed origins using strings.HasSuffix, allowing attackers to bypass CORS restrictions by registering malicious domains that end with the same suffix as legitimate allowed domains.

Critical Impact

This vulnerability enables attackers to bypass CORS policy entirely, allowing malicious web pages to make unauthorized requests and retrieve sensitive data on behalf of authenticated users, potentially leading to complete compromise of user sessions and data.

Affected Products

• go-zero versions prior to 1.4.4
• Applications using go-zero's CORS Filter with configured allowed domains
• Web services relying on go-zero's origin validation for CORS protection

Discovery Timeline

• 2024-03-06 - CVE-2024-27302 published to NVD
• 2025-12-03 - Last updated in NVD database

Technical Details for CVE-2024-27302

Vulnerability Analysis

The vulnerability resides in the CORS handling logic within go-zero's rest/internal/cors/handlers.go file. The framework allows developers to configure a CORS filter with an array of allowed domains. However, the origin validation mechanism uses Go's strings.HasSuffix function to check if the incoming request's origin matches any allowed domain.

This implementation is fundamentally flawed because suffix matching does not properly validate domain boundaries. For example, if an application configures example.com as an allowed origin, an attacker could register maliciousexample.com which would pass the suffix check since it ends with example.com. This allows the attacker's domain to be treated as a legitimate origin.

Root Cause

The root cause is improper input validation in the origin checking logic. The isOriginAllowed function relied on simple string suffix matching without ensuring that the match occurs at a proper domain boundary (e.g., preceded by a dot). This represents CWE-639 (Authorization Bypass Through User-Controlled Key), as the user-controlled origin header can bypass authorization checks through crafted domain names.

Attack Vector

An attacker can exploit this vulnerability through the following attack flow:

1. Identify a target application using go-zero with CORS restrictions configured for specific domains (e.g., trusted.com)
2. Register a malicious domain ending with the allowed origin suffix (e.g., attackertrusted.com)
3. Host a malicious webpage on the attacker-controlled domain
4. When a victim visits the attacker's page, the malicious JavaScript can make cross-origin requests to the target application
5. Due to the flawed suffix check, the target application's CORS policy accepts the malicious origin as valid
6. The attacker can now access sensitive data and perform actions on behalf of the authenticated user

// Vulnerable code (before patch) in rest/internal/cors/handlers.go
func isOriginAllowed(allows []string, origin string) bool {
	for _, o := range allows {
		if o == allOrigins {
			return true
		}

		if strings.HasSuffix(origin, o) {
			return true
		}
	}
	return false
}

// Fixed code (after patch) - adds proper domain boundary check
func isOriginAllowed(allows []string, origin string) bool {
	origin = strings.ToLower(origin)
	for _, allow := range allows {
		if allow == allOrigins {
			return true
		}

		allow = strings.ToLower(allow)
		if origin == allow {
			return true
		}

		if strings.HasSuffix(origin, "."+allow) {
			return true
		}
	}
	return false
}

Source: GitHub Commit Detail

Detection Methods for CVE-2024-27302

Indicators of Compromise

• Unusual cross-origin requests from domains that share suffix patterns with allowed origins
• CORS preflight requests with suspicious Origin headers containing allowed domain names as suffixes
• Access logs showing requests with Origin headers from unexpected domains that were not blocked

Detection Strategies

• Review application logs for CORS requests from origins that end with configured allowed domains but are not exact matches or proper subdomains
• Implement monitoring for cross-origin requests from newly registered domains that share naming patterns with your allowed origins
• Audit go-zero version in your dependency tree using go list -m all | grep go-zero to identify vulnerable installations

Monitoring Recommendations

• Monitor web server access logs for unusual patterns in the Origin request header
• Set up alerts for CORS requests from domains not explicitly in your allowlist
• Implement Content Security Policy (CSP) headers as an additional layer of protection

How to Mitigate CVE-2024-27302

Immediate Actions Required

• Upgrade go-zero to version 1.4.4 or later immediately
• Review CORS configuration to ensure proper domain restrictions are in place
• Audit application logs for any suspicious cross-origin activity that may indicate prior exploitation
• Consider implementing additional origin validation at the application layer as defense in depth

Patch Information

The vulnerability is fixed in go-zero version 1.4.4. The fix modifies the isOriginAllowed function to properly validate domain boundaries by checking for exact matches or ensuring the origin ends with a dot followed by the allowed domain (.+allow). The patch also adds case-insensitive comparison for origin matching.

Apply the patch by updating your go.mod file:

go get github.com/zeromicro/go-zero@v1.4.4

For more details, see the GitHub Security Advisory and the patch commit.

Workarounds

• If immediate upgrade is not possible, implement additional origin validation logic in your application middleware before requests reach go-zero's CORS handler
• Use an external reverse proxy (such as nginx or Cloudflare) with strict CORS configuration to filter requests before they reach the application
• Restrict sensitive API endpoints to require additional authentication mechanisms beyond CORS, such as API tokens or CSRF tokens

# Verify your go-zero version and upgrade
go list -m github.com/zeromicro/go-zero
go get github.com/zeromicro/go-zero@v1.4.4
go mod tidy