CVE-2024-6866

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-6866
corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:flask-cors_project:flask-cors:4.0.1:*:*:*:*:*:*:*
History

01 Aug 2025, 01:36

Type Values Removed Values Added
CPE cpe:2.3:a:flask-cors_project:flask-cors:4.0.1:*:*:*:*:*:*:*
Summary
  • (es) La versión 4.01 de corydolphin/flask-cors contiene una vulnerabilidad donde la coincidencia de rutas de solicitud no distingue entre mayúsculas y minúsculas debido al uso de la función `try_match`, originalmente diseñada para la coincidencia de hosts. Esto genera una discrepancia, ya que las rutas en las URL distinguen entre mayúsculas y minúsculas, pero la coincidencia de expresiones regulares las trata como si no las tuvieran. Esta configuración incorrecta puede generar vulnerabilidades de seguridad importantes, permitiendo que orígenes no autorizados accedan a rutas que deberían estar restringidas, lo que resulta en la exposición y posibles fugas de datos.
References () https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6 - () https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6 - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : 5.3 		v2 : unknown
v3 : 7.5
First Time Flask-cors Project
Flask-cors Project flask-cors

20 Mar 2025, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-20 10:15

Updated : 2025-08-01 01:36

NVD link : CVE-2024-6866

Mitre link : CVE-2024-6866

CVE.ORG link : CVE-2024-6866

JSON object : View

Products Affected

flask-cors_project

  • flask-cors
CWE
CWE-178

Improper Handling of Case Sensitivity