Skip to content

chore(deps): update module github.com/rs/cors to v1.11.0 [security]#396

Open
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-rs-cors-vulnerability
Open

chore(deps): update module github.com/rs/cors to v1.11.0 [security]#396
renovate-sh-app[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-rs-cors-vulnerability

Conversation

@renovate-sh-app
Copy link
Contributor

@renovate-sh-app renovate-sh-app bot commented Oct 3, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/rs/cors v1.10.1v1.11.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-47908

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

Denial of service via malicious preflight requests in github.com/rs/cors

CVE-2025-47908 / GHSA-mh55-gqvf-xfwm / GO-2024-2883

More information

Details

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Denial of service via malicious preflight requests in github.com/rs/cors

CVE-2025-47908 / GHSA-mh55-gqvf-xfwm / GO-2024-2883

More information

Details

Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service.

Severity

Moderate

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

rs/cors (github.com/rs/cors)

v1.11.0

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app renovate-sh-app bot requested a review from a team as a code owner October 3, 2025 15:02
@renovate-sh-app renovate-sh-app bot enabled auto-merge (squash) October 3, 2025 15:02
@github-project-automation github-project-automation bot moved this to In review in Alerting Oct 3, 2025
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 3 times, most recently from fc89910 to 2093022 Compare October 9, 2025 21:02
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 5 times, most recently from 596333a to 20e14d3 Compare October 30, 2025 18:15
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 3 times, most recently from 52c78f2 to b91c0d1 Compare November 10, 2025 21:15
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch from b91c0d1 to 9398ebd Compare November 19, 2025 21:26
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 5 times, most recently from ad28d97 to 791ce25 Compare December 4, 2025 15:09
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 5 times, most recently from 98af1cd to 974ae3c Compare December 17, 2025 12:06
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 4 times, most recently from 2ce608a to 243c27b Compare January 22, 2026 15:05
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 2 times, most recently from ee192d6 to 912cc2f Compare January 29, 2026 18:23
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 3 times, most recently from 4155033 to d22a09c Compare February 6, 2026 16:05
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 2 times, most recently from 9e59e04 to 3f4d143 Compare February 12, 2026 22:03
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 3 times, most recently from ebf8500 to a3bc07a Compare February 23, 2026 15:05
cursor[bot]
cursor bot reviewed Feb 23, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is ON. A Cloud Agent has been kicked off to fix the reported issue.

go.mod
github.com/prometheus/exporter-toolkit v0.11.0 // indirect
github.com/prometheus/procfs v0.16.1 // indirect
github.com/rs/cors v1.10.1 // indirect
github.com/rs/cors v1.11.0 // indirect
Copy link

@cursor cursor bot Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CORS wildcard credentials behavior may change

Medium Severity

Updating github.com/rs/cors to v1.11.0 can change runtime CORS behavior, notably for configurations combining AllowedOrigins: ["*"] with AllowCredentials: true. If the service relied on the prior “reflect any Origin” behavior, cross-origin requests may start failing because the expected Access-Control-Allow-Origin header is no longer emitted.

Additional Locations (1)

Fix in Cursor Fix in Web

Copy link

@cursor cursor bot Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bugbot Autofix determined this is a false positive.

The alertmanager uses cors.Default() which sets AllowCredentials to false, so the v1.11.0 behavior change for wildcard origins with credentials enabled does not apply to this codebase.

@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 4 times, most recently from d0088a0 to 35390d1 Compare February 25, 2026 15:02
@renovate-sh-app renovate-sh-app bot force-pushed the renovate/go-github.com-rs-cors-vulnerability branch 6 times, most recently from bc006ab to 4964455 Compare March 3, 2026 12:02
@renovate-sh-app
chore(deps): update module github.com/rs/cors to v1.11.0 [security]
bd28bea 
| datasource | package            | from    | to      |
| ---------- | ------------------ | ------- | ------- |
| go         | github.com/rs/cors | v1.10.1 | v1.11.0 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

automerge-security-update severity:UNKNOWN

Projects

Alerting
Status: In review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants