Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.
For example, specifying origin patterns https://foo.com
and https://bar.com
(in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com
.
Patched in v0.9.0.
None.