CVE-2024-6221 — Improper Access Control in Flask-cors

CWE-284 — Improper Access Control9 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.6%

top 29.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Corydolphin Flask-cors Flask-cors Project Flask-cors Corydolphin Flask-cors

Timeline

PublishedAug 18

Latest updateJul 2

Description

A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5corydolphin/corydolphin_flask-corsunspecified — 5.0.0

▶NVDcorydolphin/flask-cors4.0.1

▶PyPIflask-cors_project/flask-cors< 4.0.2

🔴Vulnerability Details

OSV

python-flask-cors vulnerabilities↗2025-07-02

▶

GHSA

Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default↗2024-08-18

▶

OSV

CVE-2024-6221: A vulnerability in corydolphin/flask-cors version 4↗2024-08-18

▶

OSV

CVE-2024-6221: A vulnerability in corydolphin/flask-cors up to version 4↗2024-08-18

▶

OSV

Flask-CORS allows the `Access-Control-Allow-Private-Network` CORS header to be set to true by default↗2024-08-18

▶

📋Vendor Advisories

Ubuntu

Flask-CORS vulnerabilities↗2025-07-02

▶

Debian

CVE-2024-6221: python-flask-cors - A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Access-Contr...↗2024

▶