Lucene search

K
githubGitHub Advisory DatabaseGHSA-V84H-653V-4PQ9
HistoryMay 03, 2024 - 5:34 p.m.

Some CORS middleware allow untrusted origins

2024-05-0317:34:21
GitHub Advisory Database
github.com
13
cors
middleware
untrusted origins
cross-origin attacks
security issue
patch v0.9.0

AI Score

7

Confidence

High

Impact

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.

For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.

Patches

Patched in v0.9.0.

Workarounds

None.

Affected configurations

Vulners
Node
jub0bsfcorsRange0.8.0
VendorProductVersionCPE
jub0bsfcors*cpe:2.3:a:jub0bs:fcors:*:*:*:*:*:*:*:*

AI Score

7

Confidence

High