Security features bypass in Flask-CORS - CVE-2024-6839
Published: July 3, 2025
Vulnerability identifier: #VU112140
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-6839
CWE-ID: CWE-254
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Cory Dolphin
Affected software:
Flask-CORS
Flask-CORS
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to improper regex path matching. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. A remote attacker can gain unauthorized cross-origin access to sensitive data or functionality.
How to mitigate CVE-2024-6839
Install updates from vendor's website.