Cyber Resilience

CVE-2024-6866

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0007 20.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-6866 is a high-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Flask-Cors Project Flask-Cors. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-6866 is a vulnerability in corydolphin/flask-cors version 4.01, a Python library for handling Cross-Origin Resource Sharing (CORS) in Flask applications. The issue arises from case-insensitive request path matching implemented via the `try_match` function, which is intended for host matching rather than paths. URL paths are inherently case-sensitive, but the regex matching treats them as case-insensitive, creating a mismatch that permits unauthorized origins to bypass intended restrictions on specific paths.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). Exploitation enables unauthorized origins to access paths configured to be restricted, leading to high confidentiality impacts (C:H) such as data exposure and leaks, without affecting integrity or availability (I:N/A:N). The CVSS v3.1 base score is 7.5, linked to CWE-178 (Improper Handling of Case Sensitivity).

Advisories and patches are detailed in references including a Huntr bounty report at https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6 and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/05/msg00049.html. The vulnerability was published on 2025-03-20.

EU & UK References

Vulnerability details

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but…

more

the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE-2024-6866 in flask-cors enables exploitation of public-facing web applications by allowing unauthorized origins to bypass case-sensitive path restrictions via case-insensitive matching, resulting in unauthorized access and data exposure.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0040: AI Model Inference API Access

CVEs Like This One

CVE-2025-27636Shared CWE-178
CVE-2026-27587Shared CWE-178
CVE-2026-27588Shared CWE-178
CVE-2026-29054Shared CWE-178
CVE-2026-32939Shared CWE-178
CVE-2026-22665Shared CWE-178
CVE-2026-33691Shared CWE-178
CVE-2026-47323Shared CWE-178
CVE-2026-28292Shared CWE-178
CVE-2026-40453Shared CWE-178

Affected Assets

flask-cors project
flask-cors
4.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Patching the vulnerable flask-cors version 4.01 directly resolves the case-insensitive path matching flaw, preventing unauthorized origins from accessing restricted paths.

preventdetect

Vulnerability scanning identifies the CVE-2024-6866 case-insensitivity issue in flask-cors deployments, enabling timely remediation to block exploitation.

preventdetect

Boundary protection with WAFs or proxies enforces strict origin and case-sensitive path controls, mitigating CORS bypasses from the library flaw.

References