It turns out that rs/cors (Go's most popular CORS middleware library) allocates a lot of memory in response to some malicious unauthenticated requests.

This behaviour could be abused to crash servers that run on limited memory, thereby causing a denial of service.

No such problem in my own library: https://github.com/jub0bs/cors 😇

Issue: https://github.com/rs/cors/issues/170
PR (not merged yet): https://github.com/rs/cors/pull/171