CVE-2025-47910 Overview
CVE-2025-47910 affects the Go standard library net/http package, specifically the CrossOriginProtection mechanism. When developers call AddInsecureBypassPattern to exempt specific endpoints from cross-origin checks, the method can bypass more requests than the developer intended. CrossOriginProtection skips validation but forwards the original request path, which a different handler may then serve without the intended security protections. The flaw weakens cross-site request forgery (CSRF) protections for Go-based HTTP services. The Go team disclosed the issue through the Go.dev Vulnerability Report GO-2025-3955 and published a fix referenced in the Google Groups Announcement.
Critical Impact
Attackers can route cross-origin requests to handlers expected to be protected by CrossOriginProtection, undermining CSRF defenses with low complexity and no authentication required.
Affected Products
- Go standard library net/http package
- Applications using http.CrossOriginProtection with AddInsecureBypassPattern
- Go versions prior to the fixed releases referenced in GO-2025-3955
Discovery Timeline
- 2025-09-22 - CVE-2025-47910 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-47910
Vulnerability Analysis
The Go net/http package introduced CrossOriginProtection to mitigate CSRF and other cross-origin attacks against HTTP handlers. The mechanism validates requests based on Origin and Sec-Fetch-Site headers before passing them to the underlying handler. Developers can call AddInsecureBypassPattern to opt specific URL patterns out of validation, typically for endpoints that intentionally accept unauthenticated cross-origin traffic.
The vulnerability arises because pattern matching for the bypass list does not align precisely with how the request path is later dispatched. When a request matches a bypass pattern, CrossOriginProtection skips its checks and forwards the original, unmodified request path downstream. A different handler, registered for a path that overlaps or extends the bypass pattern, can then process the request without cross-origin enforcement. This produces a broken access control condition affecting applications that rely on the protection.
Root Cause
The root cause is a mismatch between the path-matching semantics used by AddInsecureBypassPattern and those used by the application's request multiplexer. Patterns intended to exempt narrow endpoints can match a broader set of request paths, leaving downstream handlers exposed. The Go team's fix, published in the Go.dev Code Review CL 699275, corrects the bypass evaluation so that only the intended handler is exempted.
Attack Vector
Exploitation requires an attacker to lure an authenticated user into visiting a malicious page that issues a cross-origin request to a vulnerable Go service. User interaction is required, and no privileges are needed on the target service. The attacker crafts a request path that matches a configured insecure bypass pattern but is ultimately routed to a sensitive handler. Because CrossOriginProtection has already cleared the request, the sensitive handler executes without cross-origin checks. Refer to the Go.dev Issue Tracker entry for technical discussion of the routing edge case.
Detection Methods for CVE-2025-47910
Indicators of Compromise
- Unexpected state-changing requests to sensitive endpoints originating from cross-origin referers or with mismatched Origin headers
- HTTP access logs showing requests to bypass-pattern paths followed by internal dispatch to handlers not intended to be exempt
- Successful POST, PUT, or DELETE operations from browsers without same-origin context
Detection Strategies
- Audit application source for all calls to http.CrossOriginProtection.AddInsecureBypassPattern and verify that exempted patterns align exactly with intended handlers.
- Use Go's vulnerability scanner govulncheck to flag binaries linked against vulnerable Go releases listed in GO-2025-3955.
- Inspect web server and reverse proxy logs for cross-origin requests reaching handlers that should require same-origin enforcement.
Monitoring Recommendations
- Forward Go application HTTP logs to a centralized analytics platform and alert on cross-origin write requests to authenticated endpoints.
- Track deployment inventory of Go runtime versions across services and flag any builds older than the patched releases.
- Add integration tests that issue cross-origin requests to bypass-pattern paths and assert that adjacent sensitive handlers reject them.
How to Mitigate CVE-2025-47910
Immediate Actions Required
- Upgrade all Go services to a Go release that includes the fix referenced in GO-2025-3955 and rebuild affected binaries.
- Review every AddInsecureBypassPattern call and remove patterns that are not strictly required.
- Restrict bypass patterns to the narrowest possible path expressions and avoid wildcards that can collide with sensitive routes.
Patch Information
The Go team published the fix in CL 699275 and announced patched releases through the golang-announce mailing list. Rebuild and redeploy any application that imports net/http after upgrading the Go toolchain. Container images and statically linked binaries must be rebuilt because the vulnerable code is compiled into each binary.
Workarounds
- Remove all calls to AddInsecureBypassPattern and instead implement per-handler CSRF protections using tokens or SameSite cookies.
- Place exempted endpoints under a dedicated path prefix served by a separate ServeMux so bypass patterns cannot match unrelated handlers.
- Add an additional middleware that re-validates Origin and Sec-Fetch-Site headers on sensitive handlers regardless of CrossOriginProtection status.
# Upgrade the Go toolchain and rebuild affected services
go install golang.org/dl/go1.x.y@latest
go1.x.y download
go1.x.y build ./...
govulncheck ./...
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
