A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.
References
Link | Resource |
---|---|
https://huntr.com/bounties/731a6cd4-d05f-4fe6-8f5b-fe088d7b34e0 | Exploit Third Party Advisory |
Configurations
History
01 Aug 2025, 01:32
Type | Values Removed | Values Added |
---|---|---|
References | () https://huntr.com/bounties/731a6cd4-d05f-4fe6-8f5b-fe088d7b34e0 - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:flask-cors_project:flask-cors:4.0.1:*:*:*:*:*:*:* | |
First Time |
Flask-cors Project flask-cors
Flask-cors Project |
|
Summary |
|
20 Mar 2025, 10:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-03-20 10:15
Updated : 2025-08-01 01:32
NVD link : CVE-2024-6844
Mitre link : CVE-2024-6844
CVE.ORG link : CVE-2024-6844
JSON object : View
Products Affected
flask-cors_project
- flask-cors
CWE
CWE-840
Business Logic Errors