Aikido Intel
Secure My Code
Intel

CVE-2024-6221

Flask-Cors is vulnerable to Improper Access Control

Improper Access Control Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Aug 18, 2024

75

High Risk

This Affects:

Flask-Cors
Are you affected? Scan for Free

TL;DR

Affected versions of the package are vulnerable to Improper Access Control. The vulnerability allows the Access-Control-Allow-Private-Network CORS header to be set to true by default, without any configuration option. This behavior can expose private network resources to unauthorized external access, leading to significant security risks such as data breaches, unauthorized access to sensitive information, and potential network intrusions.

Who does this affect?

You're running any version of 'Flask-Cors' 4.0.2

Background info

Flask-Cors is vulnerable to Improper Access Control.

How to fix this

Upgrade Flask-Cors library to patch version and set CORS_ALLOW_PRIVATE_NETWORK to false in config if you upgrade to 4.0.2, when updating to 5.0.0, this is already the default behavior.

Links

Are You Affected?

Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.

Scan for Free
Book a Demo

Free. No credit card required.

Aikido Platform
Subscribe
Stay up to date with all updates
LinkedIn YouTube X
© 2026 Aikido Security BV | BE0792914919
Ghent, Belgium | San Francisco, US
SOC 2SOC 2Compliant
ISO 27001ISO 27001Compliant
Get Security Done