GHSA-v84h-653v-4pq9: Some CORS middleware allow untrusted origins

May 3, 2024

Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question.

For example, specifying origin patterns https://foo.com and https://bar.com (in that order) would yield a middleware that would incorrectly allow untrusted origin https://barfoo.com.

References

github.com/advisories/GHSA-v84h-653v-4pq9
github.com/jub0bs/fcors
github.com/jub0bs/fcors/commit/08d85c149a418a583315cee066d4a35cc817219d
github.com/jub0bs/fcors/security/advisories/GHSA-v84h-653v-4pq9

Detect and mitigate GHSA-v84h-653v-4pq9 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →