CVE-2024-6866

HIGH

corydolphin/flask-cors <4.01 - SSRF

Title source: llm

Description

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.

References (2)

[Exploit, Third Party Advisory] https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/05/msg00049.html

Scores

CVSS v3 7.5

EPSS 0.0007

EPSS Percentile 20.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-178

Status published

Products (2)

flask-cors_project/flask-cors 4.0.1

pypi/flask-cors 0 - 6.0.0PyPI

Published Mar 20, 2025

Tracked Since Feb 18, 2026