CVE-2025-47908 Denial of service via malicious preflight requests in github.com/rs/cors

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers ACRH header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt...

CVE-2025-47908

CVE-2025-47908 affects the Go middleware library github.com/rs/cors. Description in connected advisory confirms a DoS risk: processing malicious preflight requests with an Access-Control-Request-Headers header containing many commas triggers prohibitive heap allocations. Remediation provided by S...

CVE-2025-47908 Denial of service via malicious preflight requests in github.com/rs/cors

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers ACRH header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt...

CVE-2024-44930

Serilog before v2.1.0 was discovered to contain a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses by specifying an arbitrary IP as a value of X-Forwarded-For or Client-Ip headers while performing HTTP requests...

CVE-2023-26138

All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n carriage return line feeds characters and inject additional headers in the request sent...

CVE-2022-4315

An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 2.0 before 3.0.55, which sends custom request headers with every request on the authentication page...

CVE-2022-4317

An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 1.47 before 3.0.51, which sends custom request headers in redirects...

CVE-2020-0645

A tampering vulnerability exists when Microsoft IIS Server improperly handles malformed request headers, aka 'Microsoft IIS Server Tampering Vulnerability'...

USN-7490-3 libsoup3 vulnerabilities

USN-7490-1 fixed vulnerabilities in libsoup2.4. This update provides the corresponding updates for libsoup3. Original advisory details: Tan Wei Chong discovered that libsoup incorrectly handled memory when parsing HTTP request headers. An attacker could possibly use this issue to send a malicious...

Remote Code Execution (RCE)

BentoML is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper handling of specific headers and parameters in POST requests, which allows remote code execution RCE on the server...

Host Header Injection

leantime/leantime is vulnerable to Host Header Injection. The vulnerability is due to improper validation of the host header due to the system allowing attackers to manipulate HTTP request headers, leading to unauthorized access to user details...

Regular Expression Denial Of Service (ReDoS)

@octokit/request-error is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability is due to inefficient regular expression processing in the handling of HTTP request headers. Specifically, the regex used to process authorization headers fails to handle excessive whitespace...

CVE-2022-3767

Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host...

CVE-2024-43424

Sharp and Toshiba Tec MFPs improperly process HTTP request headers, resulting in an Out-of-bounds Read vulnerability. Crafted HTTP requests may cause affected products crashed...

CVE-2024-51504

CVE-2024-51504 affects ZooKeeper Admin Server via IPAuthenticationProvider. Default IP detection uses HTTP headers (X-Forwarded-For) and can be spoofed, leading to authentication bypass for IP-based auth. Admin commands like snapshot/restore may be exploited after bypass. Impact: potential inform...

BIT-GITLAB-2022-4315

An issue has been discovered in GitLab DAST analyzer affecting all versions starting from 2.0 before 3.0.55, which sends custom request headers with every request on the authentication page...

CVE-2024-43424

Sharp and Toshiba Tec MFPs improperly process HTTP request headers, resulting in an Out-of-bounds Read vulnerability. Crafted HTTP requests may cause affected products crashed...

CVE-2024-38809

CVE-2024-38809 is a Spring Framework DoS vulnerability arising when parsing ETags from If-Match/If-None-Match headers. Affected OpenPages advisory confirms remediation by upgrading Spring to a fixed package version (OpenPages uses Spring Framework 5.3.x; remediation version stated as 5.3.39.2511)...

BIT-CILIUM-OPERATOR-2024-42487 Cilium's Gateway API route matching order contradicts specification

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular,...

BIT-CILIUM-2024-42487 Cilium's Gateway API route matching order contradicts specification

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. In the 1.15 branch prior to 1.15.8 and the 1.16 branch prior to 1.16.1, Gateway API HTTPRoutes and GRPCRoutes do not follow the match precedence specified in the Gateway API specification. In particular,...