Flask-cors Security Vulnerabilities and Issues — Flask-cors CVE List

Lucene search

Flask-cors ProjectFlask-cors

4 matches found

CVE•added 2020/08/31 4:15 a.m.•175 views

CVE-2020-25032

An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.

7.5CVSS7.2AI score0.0096EPSS

CVE•added 2025/03/20 10:15 a.m.•138 views

CVE-2024-6866

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the try_match function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching tre...

7.5CVSS5.3AI score0.00046EPSS

CVE•added 2025/03/20 10:15 a.m.•128 views

CVE-2024-6839

corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex patter...

5.3CVSS4.6AI score0.00111EPSS

CVE•added 2025/03/20 10:15 a.m.•125 views

CVE-2024-6844

A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path n...

5.3CVSS5.5AI score0.00045EPSS