CVE-2024-6866
Published: 20 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-6866 is a vulnerability in corydolphin/flask-cors version 4.01, a Python library for handling Cross-Origin Resource Sharing (CORS) in Flask applications. The issue arises from case-insensitive request path matching implemented via the `try_match` function, which is intended for host matching rather than paths. URL paths are inherently case-sensitive, but the regex matching treats them as case-insensitive, creating a mismatch that permits unauthorized origins to bypass intended restrictions on specific paths.
Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). Exploitation enables unauthorized origins to access paths configured to be restricted, leading to high confidentiality impacts (C:H) such as data exposure and leaks, without affecting integrity or availability (I:N/A:N). The CVSS v3.1 base score is 7.5, linked to CWE-178 (Improper Handling of Case Sensitivity).
Advisories and patches are detailed in references including a Huntr bounty report at https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6 and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/05/msg00049.html. The vulnerability was published on 2025-03-20.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2024-6866 in flask-cors enables exploitation of public-facing web applications by allowing unauthorized origins to bypass case-sensitive path restrictions via case-insensitive matching, resulting in unauthorized access and data exposure.