Typescript Cors Allow Any Origin
Description
Detects overly permissive CORS (Cross-Origin Resource Sharing) configurations in Nest.js applications that allow requests from any origin (*). This misconfiguration can expose APIs to unauthorized cross-origin access, potentially leading to security vulnerabilities like cross-site request forgery (CSRF).
Detection Strategy
• Identifies Nest.js CORS configuration settings in the application code
• Looks for CORS configurations that use wildcard (*) or return true for all origins
• Reports a vulnerability when CORS is configured to accept requests from any origin without restrictions
• Examines @nestjs/common decorators and configuration objects for insecure CORS settings
Vulnerable code example
import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
async function bootstrap() {
// Vulnerable: No CORS configuration - allows all origins
const app1 = await NestFactory.create(AppModule);
app1.enableCors();
...✅ Secure code example
import { NestFactory } from '@nestjs/core';
import { AppModule } from './app.module';
async function bootstrap() {
const app = await NestFactory.create(AppModule);
// Secure: Explicitly define allowed origins, methods, and headers
app.enableCors({...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.