Medium

flask-cors

Inconsistent CORS Matching Due to Handling of '+' in URL Path

A bug in Flask CORS version 4.0.1 causes incorrect path normalization by converting '+' to a space, leading to mismatches in CORS configuration. This issue was identified but not yet patched.

Available publicly on Aug 28 2024

5.3

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Credit:

tomorroisnew
Threat Overview

The vulnerability arises from the incorrect handling of the '+' character in URL paths by the Flask CORS extension. When the request path is processed, the '+' character is converted to a space, which can lead to incorrect matching of CORS policies. This misconfiguration can result in unauthorized cross-origin access or the blocking of legitimate requests, thereby creating security vulnerabilities and usability issues.

Attack Scenario

An attacker can exploit this vulnerability by sending a request to an endpoint with a '+' character in the URL path. Due to the incorrect conversion, the CORS policy may not be applied correctly, allowing the attacker to access sensitive information or perform actions that should be restricted to specific origins.

Who is affected

Developers and users of applications using Flask CORS version 4.0.1 are affected. This includes any web applications that rely on precise CORS configurations to protect sensitive endpoints.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.