CVE-2024-27302
📋 TL;DR
This CVE describes a CORS bypass vulnerability in go-zero web framework where the `isOriginAllowed` function uses `strings.HasSuffix` to validate origins, allowing malicious domains to bypass CORS restrictions. This enables cross-origin attacks where attackers can make requests and retrieve data on behalf of users. All go-zero applications using CORS filtering with configurable allowed domains are affected.
💻 Affected Systems
- go-zero
📦 What is this software?
Go Zero by Go Zero
⚠️ Risk & Real-World Impact
Worst Case
Complete CORS policy bypass allowing any malicious website to make authenticated requests to the vulnerable application, potentially leading to data theft, account takeover, or unauthorized actions on behalf of legitimate users.
Likely Case
Attackers create specially crafted domains that match the suffix of allowed domains, enabling cross-origin requests that should be blocked, potentially exposing sensitive data or APIs to unauthorized origins.
If Mitigated
With proper input validation and CORS configuration, only legitimate domains can make cross-origin requests, maintaining intended security boundaries.
🎯 Exploit Status
Exploitation requires registering a domain that ends with the suffix of an allowed domain (e.g., if 'example.com' is allowed, 'malicious-example.com' would bypass).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.4
Vendor Advisory: https://github.com/zeromicro/go-zero/security/advisories/GHSA-fgxv-gw55-r5fq
Restart Required: Yes
Instructions:
1. Update go-zero to version 1.4.4 or later using 'go get github.com/zeromicro/go-zero@v1.4.4'. 2. Rebuild and redeploy your application. 3. Restart the application service.
🔧 Temporary Workarounds
Implement custom CORS middleware
allReplace the vulnerable CORS middleware with a custom implementation that performs exact domain matching instead of suffix matching.
Implement custom middleware that validates origins using exact string comparison or regex patterns that match entire domains.
Restrict CORS domains at network level
allUse WAF or reverse proxy rules to restrict cross-origin requests to only approved domains.
Configure nginx/apache rules to validate Origin headers before reaching the application.
🧯 If You Can't Patch
- Implement strict CORS validation at the application layer using exact domain matching instead of suffix checking.
- Deploy a WAF with CORS validation rules to block malicious cross-origin requests before they reach the application.
🔍 How to Verify
Check if Vulnerable:
Check if your go-zero application uses CORS filtering with configurable allowed domains and is running a version below 1.4.4.Check Version:
go list -m github.com/zeromicro/go-zeroVerify Fix Applied:
After updating to 1.4.4+, test that domains with matching suffixes but different base domains are properly rejected in CORS validation.📡 Detection & Monitoring
Log Indicators:
- Unusual cross-origin requests from domains that shouldn't be allowed
- CORS validation failures or successes that don't match configured allowed domains
Network Indicators:
- HTTP requests with Origin headers that have suspicious domain suffixes matching allowed domains
SIEM Query:
http.origin:* AND NOT http.origin IN (allowed_domains_list) AND http.origin ENDSWITH (allowed_domain_suffixes)🔗 References
- https://github.com/zeromicro/go-zero/commit/d9d79e930dff6218a873f4f02115df61c38b15db
- https://github.com/zeromicro/go-zero/security/advisories/GHSA-fgxv-gw55-r5fq
- https://github.com/zeromicro/go-zero/commit/d9d79e930dff6218a873f4f02115df61c38b15db
- https://github.com/zeromicro/go-zero/security/advisories/GHSA-fgxv-gw55-r5fq
