x/vulndb: potential Go vuln in github.com/rs/cors: GHSA-mh55-gqvf-xfwm

[GoVulnBot]

Advisory GHSA-mh55-gqvf-xfwm references a vulnerability in the following Go modules:

Module
github.com/rs/cors

Description:
Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

References:

• ADVISORY: GHSA-mh55-gqvf-xfwm
• FIX: rs/cors@4c32059
• FIX: Normalize allowed request headers and store them in a sorted set (fixes #170) rs/cors#171
• REPORT: Some malicious/spoofed preflight requests cause prohibitive load rs/cors#170

Cross references:

• Module github.com/rs/cors appears in issue x/vulndb: potential Go vuln in github.com/rs/cors #1792
• Module github.com/rs/cors appears in issue x/vulndb: denial of service in github.com/rs/cors #2883

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/rs/cors
      versions:
        - introduced: 1.9.0
        - fixed: 1.11.0
      vulnerable_at: 1.10.1
summary: Denial of service via malicious preflight requests in github.com/rs/cors
ghsas:
    - GHSA-mh55-gqvf-xfwm
references:
    - advisory: https://github.com/advisories/GHSA-mh55-gqvf-xfwm
    - fix: https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2
    - fix: https://github.com/rs/cors/pull/171
    - report: https://github.com/rs/cors/issues/170
source:
    id: GHSA-mh55-gqvf-xfwm
    created: 2024-07-05T20:01:12.658329941Z
review_status: UNREVIEWED

[tatianab]

GHSA for #2883

[gopherbot]

Change https://go.dev/cl/597156 mentions this issue: data/reports: update 2 reports