CVE-2024-11602

HIGH

Feast-dev/feast <0.40.0 - CSRF

Title source: llm

Description

A Cross-Origin Resource Sharing (CORS) vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can bypass intended security controls and potentially expose sensitive information.

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/7b24ecbe-0af7-4125-ab56-bce09786042e

Scores

CVSS v3 7.4

EPSS 0.0004

EPSS Percentile 13.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Classification

CWE

CWE-346

Status draft

Affected Products (1)

pypi/feast PyPI

Timeline

Published Mar 20, 2025

Tracked Since Feb 18, 2026