CVE-2024-6844 — Origin Validation Error in Project Flask-cors

CWE-346 — Origin Validation Error7 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 79.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Flask-cors Project Flask-cors Corydolphin Flask-cors

Timeline

PublishedMar 20

Latest updateJul 2

Description

A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cau…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5corydolphin/corydolphin_flask-corsunspecified — latest

▶PyPIflask-cors_project/flask-cors< 6.0.0

▶NVDflask-cors_project/flask-cors4.0.1

🔴Vulnerability Details

OSV

Flask-CORS allows for inconsistent CORS matching↗2025-03-20

▶

OSV

CVE-2024-6844: A vulnerability in corydolphin/flask-cors version 4↗2025-03-20

▶

CVEList

Inconsistent CORS Matching Due to Handling of '+' in URL Path in corydolphin/flask-cors↗2025-03-20

▶

GHSA

Flask-CORS allows for inconsistent CORS matching↗2025-03-20

▶

📋Vendor Advisories

Ubuntu

Flask-CORS vulnerabilities↗2025-07-02

▶

Debian

CVE-2024-6844: python-flask-cors - A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent ...↗2024

▶