VYPR
← All advisories
Critical severityNVD Advisory· Published Sep 1, 2021· Updated Aug 4, 2024

Default CORS config allows any origin with credentials

CVE-2021-39185

Description

Http4s default CORS middleware allows origin reflection and null origin attacks, enabling credential exfiltration; fixed in versions 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Http4s default CORS middleware allows origin reflection and null origin attacks, enabling credential exfiltration; fixed in versions 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25.

Vulnerability

The http4s CORS middleware, when used with the default CORSConfig (which sets anyOrigin = true and allowCredentials = true), is vulnerable to an origin reflection attack and a null origin attack [1][2]. In affected versions — 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24 — the middleware will reflect any Origin header value back in the Access-Control-Allow-Origin response header, and also accepts Origin: null from sandboxed iframes [1][2]. No special configuration is required; the default settings expose the vulnerability.

Exploitation

An attacker can craft a malicious web page that, when visited by a victim authenticated to the vulnerable http4s server, makes a cross-origin XMLHttpRequest with withCredentials = true to a sensitive endpoint [2]. The server responds with Access-Control-Allow-Origin: and Access-Control-Allow-Credentials: true, allowing the attacker’s script to read the response body (e.g., a password or secret) and exfiltrate it to an attacker-controlled server [2]. Similarly, a sandboxed iframe can trigger a null origin attack by sending Origin: null, which the server also reflects, enabling the same exfiltration [2].

Impact

Successful exploitation allows an attacker to read sensitive responses that require the victim’s credentials (e.g., session cookies) from the vulnerable http4s server [2]. This results in information disclosure of secrets, passwords, or other data accessible to the authenticated user. The attack is performed entirely through the victim’s browser, requiring no direct network access to the server.

Mitigation

The vulnerability is fixed in http4s versions 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25 [1][2][4]. The original CORS implementation and CORSConfig are deprecated. Users should upgrade to a fixed version. As a workaround, manually configure CORSConfig with explicit allowedOrigins and set anyOrigin = false and allowCredentials = false if credentials are not required [2]. See the GitHub security advisory for code examples [2].

References
  1. NVD - CVE-2021-39185
  2. Default CORS config allows any origin with credentials
  3. Release v0.23.2 · http4s/http4s

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.http4s:http4s-server_2.13.0-M5Maven
>= 0
org.http4s:http4s-server_3Maven
>= 0.22.0, < 0.22.30.22.3
org.http4s:http4s-server_3Maven
>= 0.23.0, < 0.23.20.23.2
org.http4s:http4s-server_2.10Maven
>= 0
org.http4s:http4s-server_2.11Maven
>= 0
org.http4s:http4s-server_2.12Maven
< 0.21.270.21.27
org.http4s:http4s-server_2.12Maven
>= 0.22.0, < 0.22.30.22.3
org.http4s:http4s-server_2.12Maven
>= 0.23.0, < 0.23.20.23.2
org.http4s:http4s-server_2.13Maven
< 0.21.270.21.27
org.http4s:http4s-server_2.13Maven
>= 0.22.0, < 0.22.30.22.3
org.http4s:http4s-server_2.13Maven
>= 0.23.0, < 0.23.20.23.2

Affected products

7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.