CVE-2017-14460
Description
An overly permissive CORS whitelist in Parity Ethereum client 1.7.8 allows remote attackers to interact with the JSON-RPC API via cross-site requests, leading to potential account compromise.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An overly permissive CORS whitelist in Parity Ethereum client 1.7.8 allows remote attackers to interact with the JSON-RPC API via cross-site requests, leading to potential account compromise.
Vulnerability
Parity Ethereum client version 1.7.8 contains an overly permissive cross-domain (CORS) whitelist for its JSON-RPC interface, which by default is set to '*' [1]. This allows any website to make cross-origin requests to the JSON-RPC endpoint. The JSON-RPC is enabled by default and exposes a significant number of APIs [1].
Exploitation
An attacker can host a malicious website that, when visited by a victim running a Parity wallet, automatically sends a crafted JSON object to the JSON-RPC endpoint [1]. The victim needs to visit the malicious website while the Parity client is running. The request is automatically sent, requiring no additional user interaction beyond visiting the site [1].
Impact
Successful exploitation allows an attacker to leak sensitive information such as existing accounts, parity settings, and network configuration [1]. If certain APIs are enabled, the attacker can also modify accounts and parity settings, potentially leading to theft of funds or compromise of the Ethereum client [1]. The CVSS score is 7.5 (High) with impacts to confidentiality, integrity, and availability [1].
Mitigation
The issue was fixed in a later version of Parity; users should upgrade to a patched version [1]. As a workaround, users can restrict the CORS whitelist to specific trusted domains instead of using the default wildcard. No KEV listing is mentioned.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =1.7.8
- Talos/Parityv5Range: Parity 1.7.8
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The default CORS whitelist is set to '*' (any origin), allowing arbitrary cross-origin requests to the JSON-RPC interface."
Attack vector
An attacker hosts a malicious website that, when visited by a victim running Parity, sends cross-origin XHR requests to the local JSON-RPC endpoint (localhost:8545). Because the default CORS whitelist is set to '*' (any origin), the browser's preflight and actual requests are accepted, and the JSON-RPC server responds with `Access-Control-Allow-Origin` reflecting the attacker's origin [ref_id=1]. This allows the attacker's script to call JSON-RPC methods such as `eth_accounts`, `eth_getBalance`, `parity_netPeers`, and `parity_rpcSettings`, leaking sensitive data [CWE-942] [ref_id=1].
Affected code
The vulnerability resides in the JSON-RPC interface of Parity Ethereum client version 1.7.8. The advisory does not specify exact function or file paths, but the CORS handling logic in the JSON-RPC daemon is at fault [ref_id=1].
What the fix does
The advisory does not include a patch. The recommended mitigation is to turn off or block CORS requests to the JSON-RPC interface [ref_id=1]. No code-level fix is published in the provided bundle.
Preconditions
- configParity Ethereum client version 1.7.8 must be running with the JSON-RPC interface enabled (default) and the default CORS whitelist set to '*'
- inputThe victim must visit a malicious website controlled by the attacker
- networkThe victim's browser must be able to reach the local JSON-RPC endpoint (localhost:8545)
Reproduction
The advisory provides a full proof-of-concept. On the attacker host, serve `index.html` (as shown in the advisory) from a web server. On the victim host, run Parity (version 1.7.8) and visit the attacker's website. The page automatically executes cross-origin XHR calls to `http://localhost:8545`, leaking account addresses, balances, peer info, RPC settings, and version info [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0508mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.