This page collects WhisperX intelligence signals tagged #CORS. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security misconfiguration in a production backend server is actively exposing authenticated API endpoints to any website on the internet. The vulnerability stems from the use of an unconfigured CORS (Cross-Origin Resource Sharing) middleware, which, when deployed, permits cross-origin requests from any domai...
A critical security misconfiguration has been identified in a production backend, where the CORS (Cross-Origin Resource Sharing) policy is set to allow requests from any origin. The vulnerability, documented in GitHub issue #222, stems from the use of `app.use(cors())` with no configuration in the main application file...
A critical gap exists in a security scanner's advertised capabilities. The tool's `scan` command documentation explicitly promises "CORS policy validation," but an analysis of the source code reveals this functionality is completely unimplemented. The scanner currently checks for seven standard security headers but con...
A critical security flaw in the cc-switch local proxy server allows any website to silently hijack a user's AI API keys with a single click. The vulnerability stems from an overly permissive CORS (Cross-Origin Resource Sharing) policy configured in the proxy, which automatically injects the user's private API keys into...
A recent security audit of the PraisonAI codebase has left three critical CORS misconfiguration vulnerabilities unaddressed, flagged as a medium-high risk. These specific issues, categorized under CWE-942, involve the use of a wildcard origin (`allow_origins=["*"]`) in the CORS middleware setup. This configuration allo...
A critical security vulnerability in the popular JavaScript bundler esbuild exposes its development server to cross-origin attacks. The flaw, tracked as GHSA-67mh-4wv8-2f99, stems from the server's default CORS (Cross-Origin Resource Sharing) configuration, which sets the `Access-Control-Allow-Origin` header to a wildc...
A critical security misconfiguration in a production API's CORS (Cross-Origin Resource Sharing) policy is actively bypassing origin validation, allowing unauthorized cross-domain requests. The vulnerability, classified as a P1 (Medium Severity, Urgent) issue, stems from code in `server/src/utils/cors-config.ts` that ex...
esbuild 开发服务器的一个关键安全配置缺陷已被披露。该漏洞源于其默认的跨域资源共享(CORS)策略,该策略为所有请求(包括服务器发送事件连接)设置了 `Access-Control-Allow-Origin: *` 头部。这一宽松的配置使得任何网站都能向运行中的 esbuild 开发服务器发送请求并读取其响应,从而可能导致敏感信息泄露或服务器被滥用。该漏洞被标记为 GHSA-67mh-4wv8-2f99,促使维护者发布了安全更新。 此次安全更新通过一个依赖管理机器人(Renovate)的拉取请求(PR)形式呈现,旨在将 esbuild 依赖从存在漏洞的版本(^0.20.2)升级至已修复的版本(^0.28.0)。更新记录显示,...
A medium-severity security vulnerability in the widely-used JavaScript bundler esbuild exposes development servers to cross-origin attacks. The flaw, tracked as GHSA-67mh-4wv8-2f99, stems from the tool's default CORS (Cross-Origin Resource Sharing) configuration. Specifically, esbuild's development server automatically...