Server-side Request Forgery (SSRF) Affecting cors-anywhere package, versions *
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Server-side Request Forgery (SSRF) vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-JS-CORSANYWHERE-13109647
- published28 Sept 2025
- disclosed25 Sept 2025
- creditRob Wu
Introduced: 25 Sep 2025
NewCVE-2020-36851 (opens in a new tab)How to fix?
There is no fixed version for cors-anywhere.
Overview
cors-anywhere is a CORS Anywhere is a reverse proxy which adds CORS headers to the proxied request. Request URL is taken from the path
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the proxy process. An attacker can access internal-only endpoints, retrieve sensitive metadata, interact with internal APIs, and potentially compromise cloud resources by sending crafted requests that induce the server to make HTTP requests to arbitrary targets.
##Mitigation
Restricting the proxy to trusted origins or authentication
whitelisting allowed target hosts
Preventing access to link-local and internal IP ranges
Removing support for unsafe HTTP methods/headers
Enabling cloud provider mitigations
Deploying network-level protections.