A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the + character in URL paths. The request.path is passed through the unquote_plus function, which converts the + character to a space . This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.
The product does not properly verify that the source of data or communication is valid.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Flask-cors | Flask-cors_project | 4.0.1 (including) | 4.0.1 (including) |
| Python-flask-cors | Ubuntu | esm-apps/focal | * |
| Python-flask-cors | Ubuntu | esm-apps/jammy | * |
| Python-flask-cors | Ubuntu | esm-apps/noble | * |
| Python-flask-cors | Ubuntu | focal | * |
| Python-flask-cors | Ubuntu | jammy | * |
| Python-flask-cors | Ubuntu | noble | * |
| Python-flask-cors | Ubuntu | oracular | * |
| Python-flask-cors | Ubuntu | plucky | * |
| Python-flask-cors | Ubuntu | upstream | * |