AI description
CVE-2025-50864 refers to an Origin Validation Error found in the elysia-cors library up to version 1.3.0. This vulnerability allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library's flaw lies in how it validates the supplied origin, checking if it is a substring of any domain in the site's CORS policy instead of performing an exact match. This incorrect validation can lead to malicious origins, such as "notexample.com" or "example.common.net," being whitelisted when the site's CORS policy specifies "example.com". Consequently, this vulnerability can enable unauthorized access to user data on sites that rely on the elysia-cors library for CORS validation.
- Description
- An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather than performing an exact match. For example, a malicious origin like "notexample.com", "example.common.net" is whitelisted when the site's CORS policy specifies "example.com." This vulnerability enables unauthorized access to user data on sites using the elysia-cors library for CORS validation.
- Source
- cve@mitre.org
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 6.5
- Impact score
- 3.6
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-178
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
13