CVE-2023-49803: @koa/cors has overly permissive origin policy
@koa/cors npm provides Cross-Origin Resource Sharing (CORS) for koa, a web framework for Node.js. Prior to version 5.0.0, the middleware operates in a way that if an allowed origin is not provided, it will return an `Access-Control-Allow-Origin` header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy (SOP), this could cause a very serious security threat to the users of this middleware. If such behavior is expected, for instance, when middleware is used exclusively for prototypes and not for production applications, it should be heavily emphasized in the documentation along with an indication of the risks associated with such behavior, as many users may not be aware of it. Version 5.0.0 fixes this vulnerability.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2023-49803?
CVE-2023-49803 has been classified as a medium severity vulnerability due to its potential impact on security for web applications using the affected middleware.
How do I fix CVE-2023-49803?
To fix CVE-2023-49803, update the @koa/cors package to version 5.0.0 or later.
What are the potential impacts of CVE-2023-49803?
CVE-2023-49803 can result in improperly managed cross-origin resource sharing, leading to potential data exposure or attacks from malicious origins.
Which versions of @koa/cors are affected by CVE-2023-49803?
Versions of @koa/cors prior to 5.0.0 are affected by CVE-2023-49803.
Where can I find more information about CVE-2023-49803?
More information can be obtained from the GitHub repository for @koa/cors, which provides details on the vulnerability.