CVE-2019-25211 — Vulnetix

CVE-2019-25211 PUBLISHED

parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.

EPSS 0.39% · 60.3th percentile

Risk Scores

EPSS Score

0.39%

60.3th percentile

Affected Products

Vendor	Product	Versions
Salesforce	community
Ubuntu:22.04:LTS	golang-github-gin-contrib-cors	0, 1.3.1-1
Ubuntu:24.04:LTS	golang-github-gin-contrib-cors	0, 1.4.0-1
Ubuntu:25.10	golang-github-gin-contrib-cors	1.4.0-1, 0
Ubuntu:20.04:LTS	golang-github-gin-contrib-cors	0, 1.3.0-2

Exploit Intelligence

Timeline

Jun 28, 2024 CVE Published
Jun 29, 2024 EPSS Score
Jul 21, 2024 EPSS Score
Aug 13, 2024 EPSS Score
Sep 4, 2024 EPSS Score
Sep 27, 2024 EPSS Score
Oct 19, 2024 EPSS Score
Nov 10, 2024 EPSS Score
Dec 4, 2024 EPSS Score
Dec 26, 2024 EPSS Score
Jan 18, 2025 EPSS Score
Feb 9, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2019-25211 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2019-25211 third-party-advisory
https://github.com/gin-contrib/cors/pull/57 third-party-advisory
https://github.com/gin-contrib/cors/pull/106 third-party-advisory
https://github.com/gin-contrib/cors/compare/v1.5.0...v1.6.0 third-party-advisory
https://github.com/gin-contrib/cors/releases/tag/v1.6.0 third-party-advisory
https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d third-party-advisory

Open in Interactive Console →