GHSA-Q78P-HJ9H-5466

Vulnerability from github – Published: 2026-07-15 21:57 – Updated: 2026-07-15 21:57
VLAI
Summary
FiftyOne App server uses wildcard CORS (Access-Control-Allow-Origin: *), enabling cross-origin reads of local server data
Details

Impact

The FiftyOne App/API server (fiftyone/server/app.py) and the /media route (fiftyone/server/routes/media.py) unconditionally set a permissive CORS header (Access-Control-Allow-Origin: *) on their responses. Because the embedded App server runs locally and is unauthenticated, this allows any website a user visits to make cross-origin requests to that user's running FiftyOne server and read the responses.

Combined with the unauthenticated /media endpoint — which serves files from the local filesystem by path — the wildcard CORS policy turns a local-only file read into a remotely exploitable, drive-by data exfiltration vulnerability. A malicious web page can silently issue requests such as http://localhost:5151/media?filepath=/etc/passwd and read arbitrary files accessible to the server process (SSH keys, cloud credentials, .env files, dataset media, etc.), then exfiltrate them to an attacker-controlled endpoint.

The victim only needs to have a FiftyOne server running locally and visit a malicious page — no clicks or other interaction are required. Browsers that have shipped Private Network Access / local-network-access protections (e.g. Chromium 142+) mitigate this for some users, but Safari and Firefox do not yet, so the attack remains viable in common configurations.

Who is impacted: any user running FiftyOne (the open-source, embedded App server) locally while also browsing the web.

Not affected: media stored in cloud buckets, which is served via signed URLs on a separate origin.

Patches

Fixed in FiftyOne 1.17.0. The hard-coded Access-Control-Allow-Origin: * has been removed and the server now responds same-origin only by default, which covers local desktop usage and the supported notebook integrations (each served through a same-origin proxy or iframe).

Cross-origin access is now opt-in via a new allowed_origins config option (environment variable FIFTYONE_ALLOWED_ORIGINS), an explicit comma-separated list of trusted origins, e.g.:

export FIFTYONE_ALLOWED_ORIGINS='https://app.example.com,http://localhost:3000'

The literal value * restores the legacy wildcard behavior for users who explicitly require it and emits a warning.

Users should upgrade to FiftyOne 1.17.0 or later.

Workarounds

In affected versions there is no configuration flag to disable the wildcard CORS header without upgrading. Until you can upgrade:

  • Do not run the FiftyOne App server while browsing untrusted websites.
  • Keep the App server bound to localhost (the default) and avoid exposing it on a network interface.
  • Use a browser that enforces Private Network Access protections.

Resources

  • OWASP A01:2025 – Broken Access Control: https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "fiftyone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-942"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-15T21:57:29Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nThe FiftyOne App/API server (`fiftyone/server/app.py`) and the `/media` route (`fiftyone/server/routes/media.py`) unconditionally set a permissive CORS header (`Access-Control-Allow-Origin: *`) on their responses. Because the embedded App server runs locally and is unauthenticated, this allows **any website a user visits to make cross-origin requests to that user\u0027s running FiftyOne server and read the responses**.\n\nCombined with the unauthenticated `/media` endpoint \u2014 which serves files from the local filesystem by path \u2014 the wildcard CORS policy turns a local-only file read into a **remotely exploitable, drive-by data exfiltration** vulnerability. A malicious web page can silently issue requests such as `http://localhost:5151/media?filepath=/etc/passwd` and read arbitrary files accessible to the server process (SSH keys, cloud credentials, `.env` files, dataset media, etc.), then exfiltrate them to an attacker-controlled endpoint.\n\nThe victim only needs to have a FiftyOne server running locally and visit a malicious page \u2014 no clicks or other interaction are required. Browsers that have shipped Private Network Access / local-network-access protections (e.g. Chromium 142+) mitigate this for some users, but Safari and Firefox do not yet, so the attack remains viable in common configurations.\n\n**Who is impacted:** any user running FiftyOne (the open-source, embedded App server) locally while also browsing the web.\n\n**Not affected:** media stored in cloud buckets, which is served via signed URLs on a separate origin.\n\n### Patches\n\nFixed in **FiftyOne 1.17.0**. The hard-coded `Access-Control-Allow-Origin: *` has been removed and the server now responds **same-origin only by default**, which covers local desktop usage and the supported notebook integrations (each served through a same-origin proxy or iframe).\n\nCross-origin access is now opt-in via a new `allowed_origins` config option (environment variable `FIFTYONE_ALLOWED_ORIGINS`), an explicit comma-separated list of trusted origins, e.g.:\n\n```shell\nexport FIFTYONE_ALLOWED_ORIGINS=\u0027https://app.example.com,http://localhost:3000\u0027\n```\n\nThe literal value `*` restores the legacy wildcard behavior for users who explicitly require it and emits a warning.\n\n**Users should upgrade to FiftyOne 1.17.0 or later.**\n\n### Workarounds\n\nIn affected versions there is no configuration flag to disable the wildcard CORS header without upgrading. Until you can upgrade:\n\n- Do not run the FiftyOne App server while browsing untrusted websites.\n- Keep the App server bound to `localhost` (the default) and avoid exposing it on a network interface.\n- Use a browser that enforces Private Network Access protections.\n\n### Resources\n\n- OWASP A01:2025 \u2013 Broken Access Control: https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/",
  "id": "GHSA-q78p-hj9h-5466",
  "modified": "2026-07-15T21:57:29Z",
  "published": "2026-07-15T21:57:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/voxel51/fiftyone/security/advisories/GHSA-q78p-hj9h-5466"
    },
    {
      "type": "WEB",
      "url": "https://github.com/voxel51/fiftyone/commit/7c5b92eec5c7c0210c0c8134351ced77d2800ae0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/voxel51/fiftyone"
    },
    {
      "type": "WEB",
      "url": "https://github.com/voxel51/fiftyone/releases/tag/v1.17.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "FiftyOne App server uses wildcard CORS (Access-Control-Allow-Origin: *), enabling cross-origin reads of local server data"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…