VYPR
Unrated severityNVD Advisory· Published Oct 27, 2025· Updated Oct 27, 2025

PILOS Misconfigured the Access-Control-Allow-Origin Header

CVE-2025-62523

Description

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. PILOS before 4.8.0 includes a Cross-Origin Resource Sharing (CORS) misconfiguration in its middleware: it reflects the Origin request header back in the Access-Control-Allow-Origin response header without proper validation or a whitelist, while Access-Control-Allow-Credentials is set to true. This behavior could allow a malicious website on a different origin to send requests (including credentials) to the PILOS API. This may enable exfiltration or actions using the victim’s credentials if the server accepts those cross-origin requests as authenticated. Laravel’s session handling applies additional origin checks such that cross-origin requests are not authenticated by default. Because of these session-origin protections, and in the absence of any other unknown vulnerabilities that would bypass Laravel’s origin/session checks, this reflected-Origin CORS misconfiguration is not believed to be exploitable in typical PILOS deployments. This vulnerability has been patched in PILOS in v4.8.0

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Thm Health/Pilosllm-fuzzy2 versions
    < 4.8.0+ 1 more
    • (no CPE)range: < 4.8.0
    • (no CPE)range: < 4.8.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.