CVE-2024-6221 – flask-cors

Package

Manager: pip
Name: flask-cors
Vulnerable Version: >=0 <4.0.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0004 pctl0.10993

Details

Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

Metadata

Created: 2024-08-18T21:31:07Z
Modified: 2025-04-07T19:51:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-hxwh-jpp2-84pm/GHSA-hxwh-jpp2-84pm.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-hxwh-jpp2-84pm
Finding: F039
Auto approve: 1