### Vulnerability Overview This vulnerability involves an insecure CORS (Cross-Origin Resource Sharing) policy that allows cross-origin attacks. In the `on_prepare` handler, the `Origin` request header is unconditionally reflected into the `Access-Control-Allow-Origin` response header. Furthermore, when the `cors_allowed_origins` configuration is empty, cross-origin requests to all API endpoints are permitted. This allows any website to perform cross-origin downloads, cookie overwriting, and data deletion. ### Impact Scope - **Cross-Origin Downloads**: Any website can initiate cross-origin download requests. - **Cookie Overwriting**: Attackers can overwrite user cookies via cross-origin requests. - **Data Deletion**: Attackers can execute cross-origin data deletion operations. ### Remediation Replace the previous blank Origin reflection with an explicit whitelist mechanism. Use the `CORS_ALLOWED_ORIGINS` environment variable, which denies all cross-origin requests by default. Users can configure `CORS_ALLOWED_ORIGINS` with a comma-separated list of trusted origins. ### POC Code ```python # Code snippet before fix @app.on_prepare def on_prepare(request, response): if 'Origin' in request.headers: response.headers['Access-Control-Allow-Origin'] = request.headers['Origin'] origin = request.headers.get('Origin') if origin and _cors_origins and origin in _cors_origins: response.headers['Access-Control-Allow-Origin'] = origin response.headers['Access-Control-Allow-Headers'] = 'Content-Type' # Code snippet after fix # Add to configuration file 'CORS_ALLOWED_ORIGINS': '', # Handle in code _cors_origins = [o.strip() for o in config.CORS_ALLOWED_ORIGINS.split(',') if o.strip()] if config.CORS_ALLOWED_ORIGINS else [] @app.on_prepare def on_prepare(request, response): if 'Origin' in request.headers: origin = request.headers.get('Origin') if origin and _cors_origins and origin in _cors_origins: response.headers['Access-Control-Allow-Origin'] = origin response.headers['Access-Control-Allow-Headers'] = 'Content-Type' ```