GHSA-mh55-gqvf-xfwm: 
vulnerability analysis and mitigation

A denial of service vulnerability was discovered in github.com/rs/cors versions 1.9.0 through 1.10.0. The middleware causes excessive heap allocations when processing malicious preflight requests that include an Access-Control-Request-Headers (ACRH) header containing many commas. This vulnerability was disclosed on July 5, 2024, and was assigned the identifier GHSA-mh55-gqvf-xfwm (GitHub Advisory).

The vulnerability stems from inefficient processing of the Access-Control-Request-Headers header in preflight requests. When handling malicious preflight requests with ACRH headers containing numerous commas, the middleware performs prohibitive heap allocations. Testing showed that processing a single 1-MiB malicious preflight request could take 127ms of execution time and consume approximately 116 MiB of heap allocations (CORS Issue).

This vulnerability could be exploited by attackers to cause denial of service by generating undue load on servers using the middleware. The impact is particularly significant because CORS middleware typically runs before authentication, meaning attackers don't need to be authenticated to exploit it. Local testing demonstrated that concurrent sending of malicious preflight requests could cause memory exhaustion in containers with limited memory (CORS Issue).

The vulnerability has been fixed in version 1.11.0 of github.com/rs/cors. The fix involves normalizing allowed request headers and storing them in a sorted set, taking advantage of guarantees provided by the Fetch standard regarding the format of CORS-unsafe request header names (CORS PR).