flask-cors 1.1 vulnerabilities

Known vulnerabilities in the flask-cors package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Improper Handling of Case Sensitivity Flask-Cors is an A Flask extension adding a decorator for CORS support Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the `try_match()` function. An attacker can access restricted paths and potentially expose sensitive data by exploiting the case insensitivity in path matching. How to fix Improper Handling of Case Sensitivity? Upgrade `Flask-Cors` to version 6.0.0 or higher.	[,6.0.0)
M Improper Verification of Source of a Communication Channel Flask-Cors is an A Flask extension adding a decorator for CORS support Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel due to improper application of regex path matching rules. An attacker can gain unauthorized cross-origin access to sensitive data or functionality by exploiting the prioritization of longer regex patterns over more specific ones, leading to less restrictive CORS policies being applied to sensitive endpoints. Note: An initial attempt to fix the vulnerability was included in 6.0.0 but it was proved to be incomplete. PR 392 fully addresses the issue. How to fix Improper Verification of Source of a Communication Channel? Upgrade `Flask-Cors` to version 6.0.0 or higher.	[,6.0.0)
L Log Injection Flask-Cors is an A Flask extension adding a decorator for CORS support Affected versions of this package are vulnerable to Log Injection when the log level is set to debug. A user can inject or modify messages by abusing CRLF sequences in the request path of a GET request. How to fix Log Injection? Upgrade `Flask-Cors` to version 4.0.1 or higher.	[,4.0.1)
H Directory Traversal Flask-Cors is an A Flask extension adding a decorator for CORS support Affected versions of this package are vulnerable to Directory Traversal. An attacker could potentially access private resources because resource matching does not ensure that pathnames are in a canonical format. How to fix Directory Traversal? Upgrade `Flask-Cors` to version 3.0.9 or higher.	[,3.0.9)

Vulnerability

Vulnerable Version

Improper Handling of Case Sensitivity

Flask-Cors is an A Flask extension adding a decorator for CORS support

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the try_match() function. An attacker can access restricted paths and potentially expose sensitive data by exploiting the case insensitivity in path matching.

How to fix Improper Handling of Case Sensitivity?

Upgrade Flask-Cors to version 6.0.0 or higher.

[,6.0.0)

Improper Verification of Source of a Communication Channel

Flask-Cors is an A Flask extension adding a decorator for CORS support

Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel due to improper application of regex path matching rules. An attacker can gain unauthorized cross-origin access to sensitive data or functionality by exploiting the prioritization of longer regex patterns over more specific ones, leading to less restrictive CORS policies being applied to sensitive endpoints.

Note:

An initial attempt to fix the vulnerability was included in 6.0.0 but it was proved to be incomplete. PR 392 fully addresses the issue.

How to fix Improper Verification of Source of a Communication Channel?

Upgrade Flask-Cors to version 6.0.0 or higher.

[,6.0.0)

Log Injection

Flask-Cors is an A Flask extension adding a decorator for CORS support

Affected versions of this package are vulnerable to Log Injection when the log level is set to debug. A user can inject or modify messages by abusing CRLF sequences in the request path of a GET request.

How to fix Log Injection?

Upgrade Flask-Cors to version 4.0.1 or higher.

[,4.0.1)

Directory Traversal

Flask-Cors is an A Flask extension adding a decorator for CORS support

Affected versions of this package are vulnerable to Directory Traversal. An attacker could potentially access private resources because resource matching does not ensure that pathnames are in a canonical format.

How to fix Directory Traversal?

Upgrade Flask-Cors to version 3.0.9 or higher.

[,3.0.9)

flask-cors@1.1 vulnerabilities

A Flask extension simplifying CORS support

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?