CVE-2024-27302

Name of the Vulnerable Software and Affected Versions go-zero versions prior to 1.4.4

Description The issue concerns the CORS Filter feature in go-zero, which allows users to specify an array of domains allowed in the CORS policy. However, the isOriginAllowed function uses strings.HasSuffix to check the origin, leading to a bypass via a malicious domain. This can break CORS policy, allowing any page to make requests and retrieve data on behalf of other users.

Recommendations For versions prior to 1.4.4, update to version 1.4.4 to resolve the issue. As a temporary workaround, consider disabling the isOriginAllowed function or restricting the use of the CORS Filter feature until a patch is available. Avoid using the strings.HasSuffix method to check the origin in the CORS Filter configuration.