CVE-2019-25211 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-25211 PUBLISHED

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.

EPSS 0.39% · 59.7th percentile

Risk Scores

EPSS Score

0.39%

59.7th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:22.04:LTS	golang-github-gin-contrib-cors	0, 1.3.1-1
Ubuntu:24.04:LTS	golang-github-gin-contrib-cors	0, 1.4.0-1
Ubuntu:25.10	golang-github-gin-contrib-cors	1.4.0-1, 0
Ubuntu:20.04:LTS	golang-github-gin-contrib-cors	0, 1.3.0-2

Timeline

Jun 28, 2024 CVE Published
Jun 29, 2024 EPSS Score
Jul 21, 2024 EPSS Score
Aug 12, 2024 EPSS Score
Sep 2, 2024 EPSS Score
Sep 24, 2024 EPSS Score
Oct 16, 2024 EPSS Score
Nov 7, 2024 EPSS Score
Nov 29, 2024 EPSS Score
Dec 22, 2024 EPSS Score
Jan 12, 2025 EPSS Score
Feb 3, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2019-25211 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2019-25211 third-party-advisory
https://github.com/gin-contrib/cors/pull/57 third-party-advisory
https://github.com/gin-contrib/cors/pull/106 third-party-advisory
https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0 third-party-advisory
https://github.com/gin-contrib/cors/releases/tag/v1.6.0 third-party-advisory
https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d third-party-advisory

Open in Interactive Console →