Improper Regex Path Matching in corydolphin/flask-cors
Description
corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flask-corsPyPI | < 6.0.0 | 6.0.0 |
Affected products
1- Range: unspecified
Patches
1e970988bea56[CVE-2024-6839] Sort Paths by Regex Specificity (#391)
2 files changed · +12 −9
flask_cors/core.py+11 −8 modified@@ -69,14 +69,17 @@ def parse_resources(resources): # resource of '*', which is not actually a valid regexp. resources = [(re_fix(k), v) for k, v in resources.items()] - # Sort by regex length to provide consistency of matching and - # to provide a proxy for specificity of match. E.G. longer - # regular expressions are tried first. - def pattern_length(pair): - maybe_regex, _ = pair - return len(get_regexp_pattern(maybe_regex)) - - return sorted(resources, key=pattern_length, reverse=True) + # Sort patterns with static (literal) paths first, then by regex specificity + def sort_key(pair): + pattern, _ = pair + if isinstance(pattern, RegexObject): + return (1, 0, pattern.pattern.count("/"), -len(pattern.pattern)) + elif probably_regex(pattern): + return (1, 1, pattern.count("/"), -len(pattern)) + else: + return (0, 0, pattern.count("/"), -len(pattern)) + + return sorted(resources, key=sort_key) elif isinstance(resources, str): return [(re_fix(resources), {})]
tests/core/helper_tests.py+1 −1 modified@@ -81,7 +81,7 @@ def test_parse_resources_sorted(self): self.assertEqual( [r[0] for r in resources], - [re.compile(r'/api/v1/.*'), '/foo', re.compile(r'/.*')] + ['/foo', re.compile(r'/api/v1/.*'), re.compile(r'/.*')] ) def test_probably_regex(self):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-7rxf-gvfg-47g4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6839ghsaADVISORY
- github.com/corydolphin/flask-cors/blob/4.0.1/flask_cors/core.pyghsaWEB
- github.com/corydolphin/flask-cors/commit/e970988bea563e05e8b8f53fa7bcc134b5bf5c5fghsaWEB
- huntr.com/bounties/403eb1fc-86f4-4820-8eba-0f3dfae9f2b4ghsaWEB
- lists.debian.org/debian-lts-announce/2025/05/msg00049.htmlghsaWEB
News mentions
0No linked articles in our index yet.