Critical CORS Misconfiguration in Production API: Origin Header Bypass Exposes Server to Unrestricted Cross-Domain Requests

A critical security misconfiguration in a production API's CORS (Cross-Origin Resource Sharing) policy is actively bypassing origin validation, allowing unauthorized cross-domain requests. The vulnerability, classified as a P1 (Medium Severity, Urgent) issue, stems from code in `server/src/utils/cors-config.ts` that explicitly permits requests lacking an `Origin` header. This design flaw effectively disables a core web security control for a significant class of requests, including those from server-to-server communication, command-line tools like curl, and traffic routed through proxies that strip headers.

The flaw is a direct implementation of CWE-346 (Origin Validation Error) and CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The vulnerable code block unconditionally returns `callback(null, true)` when the `origin` parameter is falsy, greenlighting the request without any validation. This creates a clear attack vector: a malicious actor with a stolen authentication token can proxy requests from an attacker-controlled server, intentionally omitting the `Origin` header to exploit this permissive policy. A demonstrated attack scenario shows a `curl` command successfully executing a POST request to a sensitive endpoint (`/api/scrapers/scrape`) by leveraging a stolen bearer token and omitting the origin header.

This configuration exposes the application to unauthorized data access and potential server-side request forgery (SSRF) risks. It undermines the fundamental security model of CORS, which is to restrict which external domains can interact with the API. The absence of origin validation for 'null' origin requests means any server, tool, or proxy that does not send the header can interact with the API as if it were a same-origin request, provided other credentials like API tokens are compromised. The urgent fix requires modifying the CORS configuration to either reject requests without a valid `Origin` header in production or to implement an explicit, strict allowlist of trusted origins.