Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-fmg4-x8pw-hjhg: Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (“*”) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.

Impact

The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references.

Proof of Concept

The code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities.

Potential Solution

Here is a potential solution to ensure the CORS configuration is secure:

func New(config ...Config) fiber.Handler {
    if cfg.AllowCredentials && cfg.AllowOrigins == "*" {
        panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
    }
    // Return new handler goes below
}

The middleware will not allow insecure configurations when using `AllowCredentials` and `AllowOrigins`.

Workarounds

For the meantime, users are advised to manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, browsers and utilities that enforce CORS policies are not affected by this.

References

MDN Web Docs on CORS Errors SaturnCloud Blog on CORS CodeQL on CORS Misconfiguration PortSwigger on Exploiting CORS Misconfigurations WhatWG CORS protocol and credentials

ghsa
#vulnerability#web#js#git#java#auth

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-25124

Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials

Critical severity GitHub Reviewed Published Feb 21, 2024 in gofiber/fiber • Updated Feb 22, 2024

Package

gomod github.com/gofiber/fiber/v2 (Go)

Affected versions

< 2.52.1

Description

Published to the GitHub Advisory Database

Feb 22, 2024

Last updated

Feb 22, 2024

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP