PYSEC-2026-1383
Vulnerability from pysec - Published: 2026-07-07 14:34 - Updated: 2026-07-07 17:24
VLAI
Details
corydolphin/flask-cors version 5.0.1 contains a vulnerability where the request path matching is case-insensitive due to the use of the try_match function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.
Severity
5.3 (Medium)
Impacted products
| Name | purl | flask-cors | pkg:pypi/flask-cors |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "flask-cors",
"purl": "pkg:pypi/flask-cors"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.0.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.0.dev3",
"0.0.0.dev4",
"1.0",
"1.1",
"1.1.1",
"1.1.2",
"1.1.3",
"1.10.0",
"1.10.1",
"1.10.2",
"1.10.3",
"1.2.0",
"1.2.1",
"1.3.0",
"1.3.1",
"1.4.0",
"1.5.0",
"1.6.0",
"1.6.1",
"1.7.0",
"1.7.1",
"1.7.2",
"1.7.3",
"1.7.4",
"1.8.0",
"1.8.1",
"1.9.0",
"2.0.0",
"2.0.0rc1",
"2.0.1",
"2.1.0",
"2.1.1",
"2.1.2",
"2.1.3",
"3.0.0",
"3.0.1",
"3.0.10",
"3.0.2",
"3.0.3",
"3.0.4",
"3.0.6",
"3.0.7",
"3.0.8",
"3.0.9",
"4.0.0",
"4.0.0a0",
"4.0.1",
"4.0.2",
"5.0.0",
"5.0.1"
]
}
],
"aliases": [
"CVE-2024-6866",
"GHSA-43qf-4rqw-9q2g"
],
"details": "corydolphin/flask-cors version 5.0.1 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.",
"id": "PYSEC-2026-1383",
"modified": "2026-07-07T17:24:09.393861Z",
"published": "2026-07-07T14:34:54.132548Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6866"
},
{
"type": "WEB",
"url": "https://github.com/corydolphin/flask-cors/commit/eb39516a3c96b90d0ae5f51293972395ec3ef358"
},
{
"type": "PACKAGE",
"url": "https://github.com/corydolphin/flask-cors"
},
{
"type": "WEB",
"url": "https://github.com/corydolphin/flask-cors/blob/4.0.1/flask_cors/extension.py#L195"
},
{
"type": "WEB",
"url": "https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00049.html"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/flask-cors"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-43qf-4rqw-9q2g"
}
],
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Flask-CORS vulnerable to Improper Handling of Case Sensitivity"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…