cc-switch Proxy CORS Misconfiguration: Any Website Can Silently Hijack User AI API Keys

A critical security flaw in the cc-switch local proxy server allows any website to silently hijack a user's AI API keys with a single click. The vulnerability stems from an overly permissive CORS (Cross-Origin Resource Sharing) policy configured in the proxy, which automatically injects the user's private API keys into forwarded requests. This means a malicious webpage can send cross-origin requests directly to the user's local proxy, located at `127.0.0.1:15721`, and leverage their authenticated access to services like Claude, OpenAI, and Gemini without ever knowing the API key itself. The attack requires only one user action: visiting the malicious site.

The root cause is in the proxy's server code. In the file `src-tauri/src/proxy/server.rs`, the CORS layer is explicitly configured to allow requests from any origin (`allow_origin(Any)`). This configuration, combined with the proxy's automatic API key injection, creates a direct channel for credential abuse. The vulnerability is present in cc-switch version v3.12.3 and all prior versions that include the proxy feature, marking it as a high-severity, one-click attack vector.

This misconfiguration exposes a fundamental trust boundary failure. The local proxy, intended to manage API access, inadvertently becomes an open gateway for any website on the internet. The risk extends beyond individual users to organizations where employees might have the tool installed, potentially leading to unauthorized API consumption, quota theft, and data exfiltration through compromised AI model interactions. The flaw underscores the severe consequences of improper CORS settings in local service architectures handling sensitive credentials.