VYPR
← All advisories
High severityNVD Advisory· Published May 31, 2018· Updated Sep 17, 2024

CVE-2016-10549

CVE-2016-10549

Description

Sails.js versions ≤0.12.7 misconfigure CORS, reflecting the Origin header in Access-Control-Allow-Origin, enabling Same Origin Policy bypass.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sails.js versions ≤0.12.7 misconfigure CORS, reflecting the Origin header in Access-Control-Allow-Origin, enabling Same Origin Policy bypass.

Vulnerability

In Sails.js versions 0.12.7 and lower, the CORS configuration improperly reflects the value of the HTTP Origin header directly into the Access-Control-Allow-Origin response header [1][3]. This behavior occurs when the allRoutes setting is true and the origin property is set to * or left commented out in the config/security.js file [1]. The issue resides in the framework's core CORS handling logic, affecting the default configuration scenarios [1][3].

Exploitation

An attacker can trigger this vulnerability by crafting a malicious HTML document or exploiting a cross-site scripting (XSS) flaw to make AJAX requests to a vulnerable Sails.js application from a foreign origin [1]. The attacker must ensure that the target Sails instance has allRoutes: true and either origin: '*' or an unset origin in its CORS configuration [1]. No prior authentication is required to initiate the request, but if the credentials setting is also left as the default (i.e., not set to false), the response will include Access-Control-Allow-Credentials: true, enabling authenticated cross-domain requests [1].

Impact

Successful exploitation allows an attacker to bypass the Same Origin Policy, making cross-origin AJAX requests that the browser would normally block [1]. This capability can lead to information disclosure if the application exposes sensitive data via its API. When credentials are allowed, the attacker can potentially access authenticated endpoints, leading to unauthorized data access or actions on behalf of a logged-in user [1]. The impact is limited to hosts running Sails.js with the specific misconfigured CORS settings described.

Mitigation

The vulnerability is fixed in Sails.js version 0.12.7 [2]; users should upgrade to that release or later. For those unable to upgrade, ensure that allRoutes is set to false and explicitly define an array of allowed origins in config/security.cors.allowOrigins [3]. Do not set origin to * when allRoutes is enabled. Additionally, if credentials are required, set allowCredentials to false unless absolutely necessary, and then avoid wildcard origins [3]. No KEV listing is associated with this CVE.

References
  1. NVD - CVE-2016-10549
  2. Release v0.12.7 · balderdashy/sails
  3. sails.config.security

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sailsnpm
< 0.12.70.12.7

Affected products

2

Patches

1
0057123a0321

Warn about overly-permissive CORS settings when lifting in production

https://github.com/balderdashy/sailsScott GressOct 5, 2016via ghsa
commit
1 file changed · +48 0
  • lib/hooks/cors/index.js+48 0 modified
    @@ -44,6 +44,9 @@ module.exports = function(sails) {
      */
     initialize: function(cb) {
 
+      // Declare an array to hold info about unsafely-configured routes.
+      var unsafeRoutes = [];
+
       // Once it's time to bind shadow routes, get to bindin'.
       sails.on('router:before', function () {
         // (TODO: consider changing this ^^ to `sails.after()` for consistency)
@@ -112,10 +115,55 @@ module.exports = function(sails) {
               sails.log.warn('Invalid CORS settings for route '+route);
             }
 
+            // If the global CORS defaults are not overly permissive, check this individual route's settings.
+            if (sails.config.cors.allRoutes === false || sails.config.cors.origin !== '*' || sails.config.cors.credentials === false) {
+              var routeCorsConfig = _.defaults(optionsRouteConfigs[path][verb || 'default'], sails.config.cors);
+              // If they are too permissive, add the route to a list of unsafe routes to warn the user about
+              // when running in the production environment.
+              if (routeCorsConfig.origin === '*' && routeCorsConfig.credentials === true) {
+                unsafeRoutes.push((verb ? (verb + ' ') : '') + path);
+              }
+            }
+
           }
 
         });
 
+        // Log a warning if your default CORS settings are super permissive in the production environment.
+        if (sails.config.environment === 'production') {
+          // If the global CORS defaults are permissive, log a warning about that.
+          if (
+            sails.config.cors.allRoutes === true &&
+            sails.config.cors.origin === '*' &&
+            sails.config.cors.credentials === true
+          ) {
+          sails.log.error('\n' +
+                         '=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\n' +
+                         'WARNING: You currently have your default CORS settings configured to allow\n' +
+                         'all requests from all origins, with credentials.  This may leave your app\n' +
+                         'open to attack by third-party sites!  Consider making your `origins` setting\n' +
+                         'more restrictive or setting `credentials` to false, or else make certain that\n' +
+                         'none of your routes perform sensitive actions or reveal secure information.\n' +
+                         '=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\n');
+          }
+          // Otherwise log a warning mentioning the particular routes that are too permissive.
+          else if (unsafeRoutes.length) {
+            sails.log.error('\n' +
+                           '=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\n' +
+                           'WARNING: You currently have CORS settings on the following routes configured\n' +
+                           'to allow all requests from all origins, with credentials:\n\n' + unsafeRoutes.join('\n') + '\n\n' +
+                           'This may leave these routes open to attack by third-party sites!  Consider\n'+
+                           'making the `origins` settings more restrictive or setting `credentials` to\n' +
+                           'false, or else make certain that none of these routes perform sensitive\n' +
+                           'actions or reveal secure information.\n' +
+                           '=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=\n'
+                           );
+          }
+        }
+
+
+
+
         _.each(optionsRouteConfigs, function(config, path) {
           sails.router.bind('options '+path, prepareSendHeaders(config, true), null, {_middlewareType: 'CORS HOOK: preflight'});
         });

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.