{ "schema_version": "1.4.0", "id": "GHSA-8vgw-p6qm-5gr7", "modified": "2025-05-17T18:54:45Z", "published": "2025-03-20T12:32:45Z", "aliases": [ "CVE-2024-6844" ], "summary": "Flask-CORS allows for inconsistent CORS matching", "details": "A vulnerability in corydolphin/flask-cors version 5.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "flask-cors" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "6.0.0" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 5.0.1" } } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6844" }, { "type": "WEB", "url": "https://github.com/corydolphin/flask-cors/commit/35d875319621bd129a38b2b823abf4a2f6cda536" }, { "type": "PACKAGE", "url": "https://github.com/corydolphin/flask-cors" }, { "type": "WEB", "url": "https://github.com/corydolphin/flask-cors/blob/main/flask_cors/extension.py#L193" }, { "type": "WEB", "url": "https://huntr.com/bounties/731a6cd4-d05f-4fe6-8f5b-fe088d7b34e0" } ], "database_specific": { "cwe_ids": [], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-21T22:10:24Z", "nvd_published_at": "2025-03-20T10:15:34Z" } }