Go net/http Cross-Origin Protection Insecure Bypass Vulnerability

A vulnerability exists in the Go programming language's net/http package, specifically in the CrossOriginProtection feature. When the AddInsecureBypassPattern method is used, it can unintentionally allow more requests to bypass security checks than intended. This occurs because CrossOriginProtection skips validation for these requests but forwards the original request path, which might be handled by a different server component lacking the necessary security measures. This issue affects Go versions 1.25.0 prior to 1.25.1.

Impact

Exploiting this vulnerability can lead to security protections being bypassed, allowing requests to be handled by less secure handlers.

Reproduction

To reproduce this vulnerability, create a ServeMux with two handlers: one for a path with a trailing slash and another for the same path without a trailing slash. Then, add a bypass pattern for the path with the trailing slash using the AddInsecureBypassPattern method. When a request is sent to the path without the trailing slash, the bypass will be incorrectly applied, allowing the request to be processed by the handler for the path without the intended security validation.

Remediation

Users can update to Go version 1.25.1, which addresses this vulnerability by requiring exact matches for bypass patterns in CrossOriginProtection.