More information
#### Details
Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.
#### Severity
Moderate
#### References
- [https://github.com/rs/cors/issues/170](https://togithub.com/rs/cors/issues/170)
- [https://github.com/rs/cors/pull/171](https://togithub.com/rs/cors/pull/171)
- [https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2](https://togithub.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2)
- [https://github.com/rs/cors](https://togithub.com/rs/cors)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-mh55-gqvf-xfwm) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).
Denial of service via malicious preflight requests in github.com/rs/cors
More information
#### Details
Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.
#### Severity
Unknown
#### References
- [https://github.com/rs/cors/pull/171](https://togithub.com/rs/cors/pull/171)
- [https://github.com/rs/cors/issues/170](https://togithub.com/rs/cors/issues/170)
This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2883) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).
This PR contains the following updates:
v1.10.1->v1.11.0Denial of service via malicious preflight requests in github.com/rs/cors
CGA-4q8p-r7fw-x2qh / CGA-68f4-crv2-qx4h / CGA-9x5q-52qg-w96r / CGA-ccpc-45g2-49v8 / CGA-f23v-gr4g-85g6 / CGA-gpwc-7f5f-8m65 / CGA-j7h3-v37v-34mr / CGA-jfwp-xgw2-88xx / CGA-mp77-8xxr-pj7f / CGA-vc2m-gvqx-pvqx / CGA-w6mf-rxg5-j7gh / CGA-w773-cxf8-cjq6 / CGA-w8g5-jpw3-r6wc / CGA-x3c7-grh6-85jm / CGA-xp5f-fh8m-3gqr / GHSA-mh55-gqvf-xfwm
More information
#### Details Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service. #### Severity Moderate #### References - [https://github.com/rs/cors/issues/170](https://togithub.com/rs/cors/issues/170) - [https://github.com/rs/cors/pull/171](https://togithub.com/rs/cors/pull/171) - [https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2](https://togithub.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2) - [https://github.com/rs/cors](https://togithub.com/rs/cors) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-mh55-gqvf-xfwm) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Denial of service via malicious preflight requests in github.com/rs/cors
GO-2024-2883
More information
#### Details Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service. #### Severity Unknown #### References - [https://github.com/rs/cors/pull/171](https://togithub.com/rs/cors/pull/171) - [https://github.com/rs/cors/issues/170](https://togithub.com/rs/cors/issues/170) This data is provided by [OSV](https://osv.dev/vulnerability/GO-2024-2883) and the [Go Vulnerability Database](https://togithub.com/golang/vulndb) ([CC-BY 4.0](https://togithub.com/golang/vulndb#license)).Release Notes
rs/cors (github.com/rs/cors)
### [`v1.11.0`](https://togithub.com/rs/cors/compare/v1.10.1...v1.11.0) [Compare Source](https://togithub.com/rs/cors/compare/v1.10.1...v1.11.0)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.