CVE-2024-11602

HIGH

Feast-dev/feast <0.40.0 - CSRF

Title source: llm

Description

A Cross-Origin Resource Sharing (CORS) vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can bypass intended security controls and potentially expose sensitive information.

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/7b24ecbe-0af7-4125-ab56-bce09786042e

Scores

CVSS v3 7.4

EPSS 0.0004

EPSS Percentile 11.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-346

Status published

Products (2)

feast-dev/feast-dev/feast unspecified - latest

pypi/feast 0PyPI

Published Mar 20, 2025

Tracked Since Feb 18, 2026