Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.
For example, specifying origin patterns “https://foo.com” and “https://bar.com” (in that order) would yield a middleware that would incorrectly allow untrusted origin “https://barfoo.com”.