Inconsistent CORS Matching Due to Handling of '+' in URL Path
Available publicly on Aug 28 2024
Threat Overview
The vulnerability arises from the incorrect handling of the '+' character in URL paths by the Flask CORS extension. When the request path is processed, the '+' character is converted to a space, which can lead to incorrect matching of CORS policies. This misconfiguration can result in unauthorized cross-origin access or the blocking of legitimate requests, thereby creating security vulnerabilities and usability issues.
Attack Scenario
An attacker can exploit this vulnerability by sending a request to an endpoint with a '+' character in the URL path. Due to the incorrect conversion, the CORS policy may not be applied correctly, allowing the attacker to access sensitive information or perform actions that should be restricted to specific origins.
Who is affected
Developers and users of applications using Flask CORS version 4.0.1 are affected. This includes any web applications that rely on precise CORS configurations to protect sensitive endpoints.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.