GHSA-7rxf-gvfg-47g4

Suggest an improvement
Source
https://github.com/advisories/GHSA-7rxf-gvfg-47g4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-7rxf-gvfg-47g4/GHSA-7rxf-gvfg-47g4.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7rxf-gvfg-47g4
Aliases
Related
Published
2025-03-20T12:32:45Z
Modified
2025-05-17T19:20:41.784125Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Flask-CORS improper regex path matching vulnerability
Details

corydolphin/flask-cors version 5.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.

Database specific 
{
    "nvd_published_at": "2025-03-20T10:15:33Z",
    "cwe_ids": [
        "CWE-41"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-22T00:06:34Z"
}
References

Affected packages

PyPI / flask-cors

Package

Name
flask-cors
View open source insights on deps.dev
Purl
pkg:pypi/flask-cors

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.0

Affected versions

0.*

0.0.0.dev3
0.0.0.dev4

1.*

1.0
1.1
1.1.1
1.1.2
1.1.3
1.2.0
1.2.1
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.8.0
1.8.1
1.9.0
1.10.0
1.10.1
1.10.2
1.10.3

2.*

2.0.0rc1
2.0.0
2.0.1
2.1.0
2.1.1
2.1.2
2.1.3

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.6
3.0.7
3.0.8
3.0.9
3.0.10

4.*

4.0.0a0
4.0.0
4.0.1
4.0.2

5.*

5.0.0
5.0.1

Database specific 

{
    "last_known_affected_version_range": "<= 5.0.1"
}