Permissive Cross-domain Policy with Untrusted Domains Affecting @musistudio/claude-code-router package, versions <1.0.37


Severity

Recommended
0.0
critical
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-MUSISTUDIOCLAUDECODEROUTER-12239876
  • published29 Aug 2025
  • disclosed21 Aug 2025
  • creditttttmr

Introduced: 21 Aug 2025

NewCVE-2025-57755  (opens in a new tab)
CWE-942  (opens in a new tab)

How to fix?

Upgrade @musistudio/claude-code-router to version 1.0.37 or higher.

Overview

@musistudio/claude-code-router is an Use Claude Code without an Anthropics account and route it to another LLM provider

Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains due to improper CORS configuration. An attacker can access user API keys or equivalent credentials by sending requests from untrusted domains.

CVSS Base Scores

version 4.0
version 3.1