Main Vulnerability Database Vulnerabilities #VU112140

#VU112140 Security features bypass in Flask-CORS - CVE-2024-6839

Published: July 3, 2025

Vulnerability identifier: #VU112140

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-6839

CWE-ID: CWE-254

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Flask-CORS

Software vendor:
Cory Dolphin

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to improper regex path matching. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. A remote attacker can gain unauthorized cross-origin access to sensitive data or functionality.

Remediation

Install updates from vendor's website.

External links

https://huntr.com/bounties/403eb1fc-86f4-4820-8eba-0f3dfae9f2b4
https://github.com/corydolphin/flask-cors/releases/tag/6.0.0
https://github.com/advisories/GHSA-7rxf-gvfg-47g4
https://github.com/corydolphin/flask-cors/pull/391

#VU112140 Security features bypass in Flask-CORS - CVE-2024-6839

Description

Remediation

External links

Please verify you're human