CVE-2026-37737
Description
Sanic-cors versions prior to 2.2.0 allow attackers to bypass CORS origin allowlists by crafting a malicious domain that starts with a trusted origin.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sanic-cors versions prior to 2.2.0 allow attackers to bypass CORS origin allowlists by crafting a malicious domain that starts with a trusted origin.
## Vulnerability sanic-cors versions 2.2.0 and prior contain an improper regular expression in the try_match() function within sanic_cors/core.py. The function uses re.match() without end-anchoring, allowing a configured origin to match any string that begins with the trusted origin, rather than an exact match.
Exploitation
An attacker can register a domain that starts with a trusted origin string (e.g., https://trusted.com.attacker.io when https://trusted.com is allowed). By having a victim's browser send a request from this malicious domain, the Access-Control-Allow-Origin header will be reflected with the attacker's origin, bypassing the intended CORS allowlist.
Impact
Successful exploitation allows a malicious page hosted on the attacker-controlled domain to read cross-origin responses from authenticated resources. This leads to a high confidentiality impact, as sensitive data intended for the trusted origin can be exfiltrated.
Mitigation
Sanic-cors versions 2.2.0 and prior are affected. Upgrade to a fixed version. No specific fixed version or release date is mentioned in the available references, but the vulnerability is present in versions up to and including 2.2.0 [2].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Package: https://pypi.org/project/Sanic-Cors
- Range: <=2.2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `try_match()` function uses `re.match()` without an end-anchor, allowing unintended origin string prefixes to match."
Attack vector
An attacker registers a domain that starts with a trusted origin string, such as `https://trusted.com.attacker.io` when `https://trusted.com` is allowed. When a victim's browser makes a cross-origin request to the attacker's domain, the server incorrectly validates the origin due to the unanchored regex. This leads to the attacker's origin being reflected in the `Access-Control-Allow-Origin` header, allowing the malicious page to read authenticated cross-origin responses [ref_id=1].
Affected code
The vulnerability resides in the `try_match()` function within the `sanic_cors/core.py` file, specifically on lines 306 and 308 [ref_id=1]. This function is responsible for validating request origins against the configured allowlist.
What the fix does
The advisory indicates that the `try_match()` function in `sanic_cors/core.py` uses `re.match()` without end-anchoring, which allows origins starting with a trusted string to bypass the allowlist [ref_id=1]. The recommended fix involves ensuring the regular expression used for matching is properly anchored to prevent partial matches and correctly validate the origin.
Preconditions
- configThe sanic-cors application must be configured with an allowlist that includes a trusted origin string.
- networkThe attacker must be able to register a domain that starts with the trusted origin string.
- inputThe attacker's domain is used as the Origin header in a cross-origin request.
- authThe target resource must be protected by CORS and require authentication, allowing the attacker to read sensitive cross-origin responses.
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.