CVE-2025-50579

A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. This misconfiguration enables attackers to intercept tokens using a simple browser script and exfiltrate them to a remote attacker-controlled server, potentially leading to unauthorized actions within the application.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/NginxProxyManager/nginx-proxy-manager
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4509

Configurations

No configuration.

History

20 Aug 2025, 14:40

Type	Values Removed	Values Added
Summary		(es) Una configuración incorrecta de CORS en Nginx Proxy Manager v2.12.3 permite que dominios no autorizados accedan a datos confidenciales, en particular tokens JWT, debido a una validación incorrecta del encabezado Origin. Esta configuración incorrecta permite a los atacantes interceptar tokens mediante un simple script del navegador y exfiltrarlos a un servidor remoto controlado por el atacante, lo que podría provocar acciones no autorizadas dentro de la aplicación.

19 Aug 2025, 20:15

Type	Values Removed	Values Added
CWE		CWE-1259
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.3

19 Aug 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 15:15

Updated : 2025-08-20 14:40

NVD link : CVE-2025-50579

Mitre link : CVE-2025-50579

CVE.ORG link : CVE-2025-50579

JSON object : View

Products Affected

No product.

CWE

CWE-1259

Improper Restriction of Security Token Assignment

5.3 /10