CVE-2025-47910

Published Sep 22, 2025

Last updated 2 months ago

CVSS medium 5.4
SonarSource SonarQube

Overview

AI description

Automated description summarized from trusted sources.

CVE-2024-47910 refers to a vulnerability in SonarSource SonarQube before versions 9.9.5 LTA and 10.x before 10.5. It allows a SonarQube user with the Administrator role to modify an existing configuration of a GitHub integration to exfiltrate a pre-signed JWT. The vulnerability is related to improper access control in the GitHub integration configuration. If exploited, this vulnerability could lead to the exposure of sensitive authentication tokens, potentially allowing unauthorized access to integrated GitHub resources. The vulnerability has been fixed in SonarQube versions 9.9.5 LTA and 10.5, which were released on June 25, 2024. The fix involves forcing administrators to provide a Private Key for verification when modifying the GitHub API URL. Users are advised to upgrade to these versions or later.

Description
When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.
Source
security@golang.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.4
Impact score
2.5
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Severity
MEDIUM

Social media

Hype score
Not currently trending

  1. 🔐 Critical #CVE-2025-47910 patched in #Fedora 42's containernetworking-plugins. A Cross-Origin Protection bypass in net/http threatens container isolation. Read more: 👉 https://t.co/c2uG7l3TRV #Security https://t.co/ioEIQynR8L

    @Cezar_H_Linux

    5 Oct 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-47910 When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips valid… https://t.co/sgBD1zXItV

    @CVEnew

    22 Sept 2025

    65 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🤯 Go 1.25.1 and 1.24.7 are released! 🔐 Security: Includes a security fix for net/http (CVE-2025-47910). 📣 Announcement: https://t.co/PrrSaiIwW3 ⬇️ Download: https://t.co/vSrCuSS6DE #golang https://t.co/YIMM4XL0ta

    @golang

    3 Sept 2025

    23904 Impressions

    126 Retweets

    545 Likes

    28 Bookmarks

    3 Replies

    9 Quotes

References

Sources include official advisories and independent security research.