This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: go-zero < 1.4.4 allows malicious domains to bypass filters via configurable parameters. π **Consequences**: High impact on Confidentiality & Integrity.β¦
π’ **Affected**: zeromicro / go-zero. π¦ **Version**: All versions **before 1.4.4**. If you are running an older Web/RPC framework version, you are at risk.
π **Threshold**: **LOW**. CVSS Vector: AV:N (Network), AC:L (Low Complexity), PR:N (No Privileges Required). No authentication or complex configuration is needed to exploit this remotely.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π§ͺ **Public Exploit**: **No** public PoC or wild exploitation detected in the provided data. However, the logic flaw is clear, making custom exploits highly probable for skilled attackers.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Check your `go.mod` or dependency tree. If `go-zero` version is `< 1.4.4`, you are vulnerable. Look for configurations where domain filters are user-controllable.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: **YES**. Patched in version **1.4.4**. π **Reference**: See GitHub commit `d9d79e9` and GHSA advisory `fgxv-gw55-r5fq` for official details.
Q9What if no patch? (Workaround)
π§ **No Patch Workaround**: If you cannot upgrade immediately, **disable** the configurable filter parameter if possible.β¦
β‘ **Urgency**: **HIGH**. CVSS 3.1 indicates severe impact. Since it requires no auth and is network-accessible, patch to v1.4.4 **immediately** to prevent potential bypass attacks.