CVE-2024-27302

go-zero is a web and rpc framework. Go-zero allows user to specify a CORS Filter with a configurable allows param - which is an array of domains allowed in CORS policy. However, the isOriginAllowed uses strings.HasSuffix to check the origin, which leads to bypass via a malicious domain. This vulner...