Listen to this Post
The vulnerability in cors-anywhere arises from its default configuration as an open proxy. When an instance lacks proper access controls, any unauthenticated user can send an HTTP request to the proxy server with a target URL specified in the path (e.g., `curl -H "Origin: http://evil.com" http://vulnerable-cors-proxy/http://169.254.169.254/latest/meta-data/iam/security-credentials/`http://vulnerable-proxy.com/http://internal-service/`). The server then forwards the request, including headers like `Origin` and HTTP methods such as PUT, to the specified target. This allows attackers to route requests through the server to internal networks, bypassing firewall restrictions. A critical attack vector involves targeting cloud metadata services (like AWS IMDS) by requesting `http://169.254.169.254/`. If the proxy server has access to these link-local addresses, it can retrieve sensitive instance role credentials. The proxy's behavior of reflecting response headers back to the attacker enables the theft of this data, leading to full cloud account compromise.npm list cors-anywhere
Platform: Node.js
Version: < 0.4.4
Vulnerability: SSRF
Severity: Critical
date: 2020-11-10
Prediction: Patch available
What Undercode Say:
<h2 style="color: blue;"></h2>iptables -A OUTPUT -d 169.254.169.254 -j DROP`
<h2 style="color: blue;">
How Exploit:
Attacker sends request to misconfigured cors-anywhere instance with internal cloud metadata service URL in the path. The proxy server forwards the request from its own network context, accessing the restricted metadata endpoint. Attacker receives the sensitive credentials in the response.
Protection from this CVE:
Upgrade to v0.4.4.
Implement origin whitelisting.
Block internal IP ranges.
Disable unsafe HTTP methods.
Impact:
Cloud credential theft.
Internal API access.
Remote code execution.
Data exfiltration.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
