Miggo Logo
Miggo Vulnerability Database
CVE-2019-25211

CVE-2019-25211: Gin mishandles a wildcard at the end of an origin string

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-25211
GHSA ID
GHSA-869c-j7wc-8jqv
EPSS Score
0.33997%
CWE
CWE-346
Published
6/29/2024
Updated
3/14/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/gin-gonic/gingo< 1.6.01.6.0
github.com/gin-contrib/corsgo< 1.6.01.6.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The CVE description explicitly references 'parseWildcardRules' as the vulnerable function.
  2. The GitHub PR #106 and commit 27b723a show the fix modifies line 138 of cors.go, changing 'o[:i-1]' to 'o[:i]' for wildcard-at-end cases.
  3. Multiple independent reports (PR #57, #106) confirm the pattern matching logic error in this specific function.
  4. The vulnerability manifests in origin validation when processing CORS rules with trailing wildcards, directly tied to this function's string manipulation logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p*rs*Wil***r*Rul*s in *in-*oni* *ORS mi**l*w*r* ***or* *.*.* mis**n*l*s * wil***r* *t t** *n* o* *n ori*in strin*, *.*., *ttps://*x*mpl*.*ommunity/* is *llow** w**n t** int*ntion is t**t only *ttps://*x*mpl*.*om/* s*oul* ** *llow**, *n* *ttp://lo**l*

Reasoning

*. T** *V* **s*ription *xpli*itly r***r*n**s 'p*rs*Wil***r*Rul*s' *s t** vuln*r**l* *un*tion. *. T** *it*u* PR #*** *n* *ommit ******* s*ow t** *ix mo*i*i*s lin* *** o* *ors.*o, ***n*in* 'o[:i-*]' to 'o[:i]' *or wil***r*-*t-*n* **s*s. *. Multipl* in*