CVE-2024-6866 – This vulnerability in flask-cors 4.01 allows un... (How to Fix)

📋 TL;DR

This vulnerability in flask-cors 4.01 allows unauthorized origins to bypass CORS restrictions due to case-insensitive path matching. Attackers can access restricted API endpoints, potentially exposing sensitive data. Any application using the vulnerable version with CORS path restrictions is affected.

💻 Affected Systems

Products:

corydolphin/flask-cors

Versions: Version 4.01

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using path-based CORS restrictions; applications without path restrictions or with wildcard origins are not vulnerable.

📦 What is this software?

Flask Cors by Flask Cors Project

View all CVEs affecting Flask Cors →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data exposure from restricted API endpoints, enabling attackers to steal sensitive information or perform unauthorized actions.

🟠

Likely Case

Partial data leakage from misconfigured endpoints, potentially exposing user data or internal information.

🟢

If Mitigated

Limited impact with proper authentication and additional security layers, though CORS bypass remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires knowledge of restricted paths and ability to craft requests from unauthorized origins.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.0.2 or later

Vendor Advisory: https://github.com/corydolphin/flask-cors/security/advisories/GHSA-4w8f-7prg-5vq9

Restart Required: No

Instructions:

1. Update flask-cors: pip install --upgrade flask-cors>=4.0.2
2. Verify the version: pip show flask-cors
3. No application restart required for Python applications using dynamic imports.

🔧 Temporary Workarounds

Implement custom CORS path validation

all

Add middleware to validate path case-sensitivity before CORS processing

# Add custom request handler to validate paths
from flask import request
@app.before_request
def validate_path_case():
    if request.path.lower() != request.path:
        return 'Invalid path', 400

🧯 If You Can't Patch

Disable CORS path restrictions and rely on authentication/authorization
Implement reverse proxy with proper path validation before reaching application

🔍 How to Verify

Check if Vulnerable:

Check installed version: pip show flask-cors | grep Version

Check Version:

pip show flask-cors | grep Version

Verify Fix Applied:

Confirm version is 4.0.2 or higher and test CORS path restrictions with case variations

📡 Detection & Monitoring

Log Indicators:

Multiple 200/204 responses to similar paths with different cases from unauthorized origins
CORS preflight requests with case-varied paths

Network Indicators:

Cross-origin requests to restricted paths with case variations
Increased CORS preflight traffic

SIEM Query:

source="web_logs" AND (path:*[A-Z]* OR origin!="allowed_origin") AND response_code=200

📊 Metadata

CVE ID: CVE-2024-6866

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-178

EPSS Score: 0.16% exploit probability (37.1th percentile)

Published: March 20, 2025

Last Updated: November 3, 2025

🔗 References

https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/05/msg00049.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6866, you might also want to check these: