High severity7.5NVD Advisory· Published Mar 20, 2025· Updated Jun 17, 2026
CVE-2024-6866
CVE-2024-6866
Description
corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the try_match function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flask-corsPyPI | < 6.0.0 | 6.0.0 |
Affected products
9- osv-coords8 versionspkg:apk/chainguard/kubeflow-jupyter-web-apppkg:apk/chainguard/kubeflow-volumes-web-apppkg:apk/chainguard/superset-6.0pkg:apk/wolfi/kubeflow-jupyter-web-apppkg:apk/wolfi/kubeflow-volumes-web-apppkg:apk/wolfi/superset-6.0pkg:pypi/flask-corspkg:rpm/opensuse/python-Flask-Cors&distro=openSUSE%20Tumbleweed
< 1.10.0-r3+ 7 more
- (no CPE)range: < 1.10.0-r3
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 6.0.0-r2
- (no CPE)range: < 1.10.0-r3
- (no CPE)range: < 1.10.0-r2
- (no CPE)range: < 6.0.0-r2
- (no CPE)range: < 6.0.0
- (no CPE)range: < 6.0.2-1.1
- Range: unspecified
Patches
Vulnerability mechanics
References
6- huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-43qf-4rqw-9q2gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6866ghsaADVISORY
- github.com/corydolphin/flask-cors/blob/4.0.1/flask_cors/extension.pyghsaWEB
- github.com/corydolphin/flask-cors/commit/eb39516a3c96b90d0ae5f51293972395ec3ef358ghsaWEB
- lists.debian.org/debian-lts-announce/2025/05/msg00049.htmlnvdWEB
News mentions
0No linked articles in our index yet.