CVE-2025-50579
📋 TL;DR
A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data like JWT tokens due to improper Origin header validation. Attackers can intercept tokens using browser scripts and exfiltrate them to remote servers, potentially leading to unauthorized application actions. This affects all deployments using the vulnerable version.
💻 Affected Systems
- Nginx Proxy Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal JWT tokens and gain full administrative access to the proxy manager, allowing them to reconfigure proxies, intercept traffic, or compromise backend services.
Likely Case
Attackers steal user session tokens and perform unauthorized actions within the application, potentially accessing sensitive proxy configurations or user data.
If Mitigated
With proper CORS configuration, only legitimate domains can access sensitive endpoints, limiting token exposure to authorized origins only.
🎯 Exploit Status
Exploitation requires the attacker to trick a user into visiting a malicious website that runs JavaScript to exploit the CORS misconfiguration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v2.12.4 or later
Vendor Advisory: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4509
Restart Required: No
Instructions:
1. Update Nginx Proxy Manager to v2.12.4 or later using your package manager or Docker. 2. Verify the update completed successfully. 3. Test that CORS headers are properly validated.
🔧 Temporary Workarounds
Manual CORS Configuration
allManually configure Nginx to restrict CORS headers to trusted domains only
Edit Nginx configuration to add: add_header 'Access-Control-Allow-Origin' 'trusted-domain.com';
add_header 'Access-Control-Allow-Credentials' 'true';
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict script execution
- Use additional authentication layers like IP whitelisting for administrative endpoints
🔍 How to Verify
Check if Vulnerable:
Check if Nginx Proxy Manager version is v2.12.3 and test CORS headers by sending requests with different Origin headers to sensitive endpointsCheck Version:
docker exec nginx-proxy-manager cat /app/package.json | grep versionVerify Fix Applied:
After updating, test that requests with unauthorized Origin headers are rejected and only legitimate domains can access sensitive endpoints📡 Detection & Monitoring
Log Indicators:
- Multiple failed CORS preflight requests from unusual domains
- Unusual Origin headers in access logs
Network Indicators:
- Cross-origin requests to sensitive endpoints from unauthorized domains
- Unexpected data exfiltration to external domains
SIEM Query:
source="nginx-access.log" AND (uri="/api/*" OR uri="/auth/*") AND origin!="trusted-domain.com"