CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
17.8%
@koa/cors is vulnerable to Same-Origin Policy Bypass. The vulnerability exists in the index.js
because the middleware operates in a way that if an allowed origin is not provided by default, it will return an Access-Control-Allow-Origin
header with the value set to the origin from the request. This behavior disables a crucial elements of browsers, allowing an attacker to bypass the Same-Origin Policy.