CVE-2024-25124 — Insecure CORS Configuration allowing wildcard origin with credentials in github.

Description

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.

How to fix CVE-2024-25124

To remediate CVE-2024-25124, upgrade the affected package to a fixed version below.

—upgrade to 2.52.1 or later
—upgrade to 2.52.1 or later

Is CVE-2024-25124 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.52.1
from 0, < 2.52.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-25124
PATCHgithub.com/gofiber/fiber
WEBblog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
WEBcodeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials