fix(deps): update module github.com/gin-contrib/cors to v1.6.0 [security]#1015
Merged
DavidePrincipi merged 1 commit intomainfrom Jan 23, 2026
Merged
Conversation
DavidePrincipi
deleted the
renovate-go-github-com-gin-contrib-cors-vulnerability
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.4.0→v1.6.0GitHub Vulnerability Alerts
CVE-2019-25211
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
Gin mishandles a wildcard in the origin string in github.com/gin-contrib/cors
CVE-2019-25211 / GHSA-869c-j7wc-8jqv / GO-2024-2955
More information
Details
Gin-Gonic CORS middleware mishandles a wildcard at the end of an origin string. Examples: https://example.community/* is accepted by the origin string https://example.com/* and http://localhost.example.com/* is accepted by the origin string http://localhost/* .
Severity
Unknown
References
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Gin mishandles a wildcard at the end of an origin string
CVE-2019-25211 / GHSA-869c-j7wc-8jqv / GO-2024-2955
More information
Details
parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandles a wildcard at the end of an origin string, e.g., https://example.community/* is allowed when the intention is that only https://example.com/* should be allowed, and http://localhost.example.com/* is allowed when the intention is that only http://localhost/* should be allowed.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
gin-contrib/cors (github.com/gin-contrib/cors)
v1.6.0Compare Source
Changelog
Features
eac6c48feat(schema): allow usage of custom schemas (#139)Bug fixes
27b723afixe(domain): wildcard parse bug (#106 and #57) @maxshine and @HvitgarEnhancements
f41df75chore: update GitHub actions to latest versions2451987chore: update dependencies to latest versions7d356c2chore: update dependencies to latest versions5da0aeechore: update third-party dependencies8263fcechore: update version of actions/setup-go in GitHub workflowsOthers
fcbd06fci: enhance testing matrix and tolerance limitsf08c1bcci: refactor CI workflows and improve tests30792dcci: refactor GitHub Actions workflows0e993b7ci: update GitHub Actions to Version 390a7c66test(cors): enhance CORS wildcard handling tests (#145)85bf9fbtest: improve CORS wildcard handling and testing (#144)d5002f2test: refactor tests and update CI configurationsv1.5.0Compare Source
Changelog
Features
0eaf9a0feat: adds support for private network header (#128)Enhancements
c1983b2chore(CI): add go1.20 version1d5e083chore(deps): bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#112)f8b2357chore(options): Added availability to set 200/204 for OPTIONS request status (#129)f92a222chore: Add go 1.19 and upgrade lint version to v1.4995df7c6chore: removedepguardlinter and rename example file7ac4445chore: update GitHub Actions configuration filesbbf67cdchore: update Go version and setup-go actionb216599chore: updategoreleaser/goreleaser-actionto version v4765e44echore: update dependencies to latest versionsbf2c9dfchore: update linter configuration and changelog titlesbbb26b0chore: update supported versions of GoOthers
5914b2fbuild: update Go version and dependenciesConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.