GHSA-vhxv-fg4m-p2w8

Source

https://github.com/advisories/GHSA-vhxv-fg4m-p2w8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-vhxv-fg4m-p2w8/GHSA-vhxv-fg4m-p2w8.json

Published

2024-05-03T17:34:17Z

Modified

2024-05-03T17:34:17Z

Summary

Some CORS middleware allow untrusted origins

Details

Impact

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.

For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.

Patches

Patched in v0.1.3.

Workarounds

None.

References

• https://github.com/jub0bs/cors/security/advisories/GHSA-vhxv-fg4m-p2w8
• https://github.com/jub0bs/cors/commit/5bc0648a32db2d600179a50866f648f4d7090363
• https://github.com/jub0bs/cors