CVE-2024-6839

EUVD-2025-6973
corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
@huntr_aiCNA
4.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
flask-cors_projectflask-cors
4.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-flask-cors
bookworm
3.0.10-2+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
3.0.9-2+deb11u1
fixed
forky
6.0.1-1
fixed
sid
6.0.1-1
fixed
trixie
6.0.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-flask-cors
focal
Fixed 3.0.8-2ubuntu0.1+esm1
released
jammy
Fixed 3.0.9-2ubuntu0.1
released
noble
Fixed 4.0.0-1ubuntu0.1~esm1
released
oracular
Fixed 4.0.1-1ubuntu0.1
released
plucky
Fixed 5.0.0-1ubuntu0.1
released
questing
not-affected
Common Weakness Enumeration
References
https://huntr.com/bounties/403eb1fc-86f4-4820-8eba-0f3dfae9f2b4
https://lists.debian.org/debian-lts-announce/2025/05/msg00049.html