1. Critical CORS Misconfiguration in Production API: Origin Header Bypass Exposes Server to Unrestricted Cross-Domain Requests
A critical security misconfiguration in a production API's CORS (Cross-Origin Resource Sharing) policy is actively bypassing origin validation, allowing unauthorized cross-domain requests. The vulnerability, classified as a P1 (Medium Severity, Urgent) issue, stems from code in `server/src/utils/cors-config.ts` that ex...