VDB
KO
MEDIUM 6.5

GHSA-94jw-hqvj-vw74

sanic-cors contains an improper regular expression in the try_match() function

Details

sanic-cors version 2.2.0 and prior contains an improper regular expression in the try_match() function in sanic_cors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain unauthorized access to cross-origin requests for authenticated resources.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / sanic-cors
Introduced in: 0

No fixed version published yet for sanic-cors (pip). Pin to a known-safe version or switch to an alternative.

References