CVE-2024-6844
Description
A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flask-corsPyPI | < 6.0.0 | 6.0.0 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/kubeflow-jupyter-web-apppkg:apk/chainguard/kubeflow-volumes-web-apppkg:apk/chainguard/superset-6.0pkg:apk/wolfi/kubeflow-jupyter-web-apppkg:apk/wolfi/kubeflow-volumes-web-apppkg:apk/wolfi/superset-6.0pkg:pypi/flask-corspkg:rpm/opensuse/python-Flask-Cors&distro=openSUSE%20Tumbleweed
< 1.10.0-r3+ 7 more
- (no CPE)range: < 1.10.0-r3
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 6.0.0-r2
- (no CPE)range: < 1.10.0-r3
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 6.0.0-r2
- (no CPE)range: < 6.0.0
- (no CPE)range: < 6.0.2-1.1
- Range: unspecified
Patches
Vulnerability mechanics
References
6- huntr.com/bounties/731a6cd4-d05f-4fe6-8f5b-fe088d7b34e0nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-8vgw-p6qm-5gr7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6844ghsaADVISORY
- github.com/corydolphin/flask-cors/blob/main/flask_cors/extension.pyghsaWEB
- github.com/corydolphin/flask-cors/commit/35d875319621bd129a38b2b823abf4a2f6cda536ghsaWEB
- lists.debian.org/debian-lts-announce/2025/05/msg00049.htmlnvdWEB
News mentions
0No linked articles in our index yet.