CVE-2024-6844: Flask-CORS allows for inconsistent CORS matching
(updated )
A vulnerability in corydolphin/flask-cors version 5.0.1 allows for inconsistent CORS matching due to the handling of the ‘+’ character in URL paths. The request.path is passed through the unquote_plus function, which converts the ‘+’ character to a space ’ ‘. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.
References
- github.com/advisories/GHSA-8vgw-p6qm-5gr7
- github.com/corydolphin/flask-cors
- github.com/corydolphin/flask-cors/blob/main/flask_cors/extension.py
- github.com/corydolphin/flask-cors/commit/35d875319621bd129a38b2b823abf4a2f6cda536
- huntr.com/bounties/731a6cd4-d05f-4fe6-8f5b-fe088d7b34e0
- nvd.nist.gov/vuln/detail/CVE-2024-6844
Code Behaviors & Features
Detect and mitigate CVE-2024-6844 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →