CVE-2024-6866
Published: 20 March 2025
Summary
CVE-2024-6866 is a high-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Flask-Cors Project Flask-Cors. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Patching the vulnerable flask-cors version 4.01 directly resolves the case-insensitive path matching flaw, preventing unauthorized origins from accessing restricted paths.
Vulnerability scanning identifies the CVE-2024-6866 case-insensitivity issue in flask-cors deployments, enabling timely remediation to block exploitation.
Boundary protection with WAFs or proxies enforces strict origin and case-sensitive path controls, mitigating CORS bypasses from the library flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-6866 in flask-cors enables exploitation of public-facing web applications by allowing unauthorized origins to bypass case-sensitive path restrictions via case-insensitive matching, resulting in unauthorized access and data exposure.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
NVD Description
corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but…
more
the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.
Deeper analysisAI
CVE-2024-6866 is a vulnerability in corydolphin/flask-cors version 4.01, a Python library for handling Cross-Origin Resource Sharing (CORS) in Flask applications. The issue arises from case-insensitive request path matching implemented via the `try_match` function, which is intended for host matching rather than paths. URL paths are inherently case-sensitive, but the regex matching treats them as case-insensitive, creating a mismatch that permits unauthorized origins to bypass intended restrictions on specific paths.
Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). Exploitation enables unauthorized origins to access paths configured to be restricted, leading to high confidentiality impacts (C:H) such as data exposure and leaks, without affecting integrity or availability (I:N/A:N). The CVSS v3.1 base score is 7.5, linked to CWE-178 (Improper Handling of Case Sensitivity).
Advisories and patches are detailed in references including a Huntr bounty report at https://huntr.com/bounties/808c11af-faee-43a8-824b-b5ab4f62b9e6 and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/05/msg00049.html. The vulnerability was published on 2025-03-20.
Details
- CWE(s)