CVE-2024-6839
📋 TL;DR
CVE-2024-6839 is an improper regex path matching vulnerability in flask-cors 4.0.1 that causes longer regex patterns to be prioritized over more specific ones when matching paths. This can result in less restrictive CORS policies being applied to sensitive endpoints, potentially allowing unauthorized cross-origin access to confidential data or functionality. Any application using the vulnerable version of flask-cors with regex-based CORS path configurations is affected.
💻 Affected Systems
- corydolphin/flask-cors
📦 What is this software?
Flask Cors by Flask Cors Project
⚠️ Risk & Real-World Impact
Worst Case
Sensitive endpoints with restrictive CORS policies could be exposed with permissive CORS headers, allowing malicious websites to make unauthorized cross-origin requests and access confidential user data or perform unauthorized actions.
Likely Case
Specific endpoints with carefully configured CORS restrictions may inadvertently inherit more permissive CORS policies from broader regex patterns, potentially exposing sensitive API endpoints to cross-origin attacks.
If Mitigated
If proper CORS policies are enforced at the application level or through additional security layers, the impact is limited to potential misconfiguration rather than direct data exposure.
🎯 Exploit Status
Exploitation requires the attacker to craft cross-origin requests to endpoints that should have restrictive CORS policies but inherit permissive ones due to the regex priority issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.2
Vendor Advisory: https://github.com/corydolphin/flask-cors/releases/tag/4.0.2
Restart Required: Yes
Instructions:
1. Update flask-cors to version 4.0.2 or later using pip: pip install flask-cors>=4.0.2
2. Restart your Flask application
3. Verify the fix by testing CORS behavior on endpoints using regex patterns
🔧 Temporary Workarounds
Use explicit path strings instead of regex patterns
allReplace regex-based CORS path configurations with explicit string paths to avoid the regex priority issue
# Instead of: CORS(app, resources={r'/api/*': {...}})
# Use: CORS(app, resources={'/api/users': {...}, '/api/admin': {...}})
Implement CORS validation at application layer
allAdd additional CORS validation in your Flask application logic to ensure proper origin checking regardless of flask-cors configuration
# Example using Flask decorator:
@app.after_request
def add_cors_headers(response):
if request.headers.get('Origin') not in ALLOWED_ORIGINS:
response.headers['Access-Control-Allow-Origin'] = ''
return response
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with CORS policy enforcement
- Use reverse proxy with strict CORS header validation
🔍 How to Verify
Check if Vulnerable:
Check if flask-cors version 4.0.1 is installed and if your application uses regex patterns in CORS configurationsCheck Version:
pip show flask-cors | grep VersionVerify Fix Applied:
After updating to 4.0.2+, test that endpoints with restrictive CORS policies properly reject unauthorized cross-origin requests📡 Detection & Monitoring
Log Indicators:
- Unexpected successful cross-origin requests to sensitive endpoints
- CORS policy mismatch warnings in application logs
Network Indicators:
- Cross-origin requests to sensitive endpoints with permissive CORS headers
- Origin header mismatches in HTTP requests
SIEM Query:
web_access AND (cors OR origin) AND status=200 AND sensitive_endpoint