High severity8.8NVD Advisory· Published Jul 13, 2017· Updated May 13, 2026
CVE-2017-11173
CVE-2017-11173
Description
Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net (as well as example.com-example.net) would be inadvertently allowed.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rack-corsRubyGems | < 0.4.1 | 0.4.1 |
Affected products
2- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Patches
142ebe6caa8e8Add end string anchor to string origin def
1 file changed · +1 −1
lib/rack/cors.rb+1 −1 modified@@ -253,7 +253,7 @@ def origins(*args, &blk) /^https?:\/\//, 'file://' then n when '*' then @public_resources = true; n - else Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}") + else Regexp.compile("^[a-z][a-z0-9.+-]*:\\\/\\\/#{Regexp.quote(n)}$") end end.flatten @origins.push(blk) if blk
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/cyu/rack-cors/commit/42ebe6caa8e85ffa9c8a171bda668ba1acc7a5e6nvdPatchThird Party AdvisoryWEB
- seclists.org/fulldisclosure/2017/Jul/22nvdMailing ListThird Party AdvisoryWEB
- www.debian.org/security/2017/dsa-3931nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-2j9c-9vmv-7m39ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-11173ghsaADVISORY
- packetstormsecurity.com/files/143345/rack-cors-Missing-Anchor.htmlnvdThird Party AdvisoryVDB EntryWEB
News mentions
0No linked articles in our index yet.