Permissive List of Allowed Inputs
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-183: Permissive List of Allowed Inputs |
| OWASP | A04:2021 - Insecure Design |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The CORS domain regular expression uses an unescaped ‘.’ character, which matches any character instead of just a literal dot. This can unintentionally allow requests from unauthorized or unexpected origins.
Impact#
If exploited, attackers could send cross-origin requests from malicious domains that match the overly broad pattern, potentially exposing sensitive data or enabling unauthorized actions on behalf of users. This weakens the access control protections provided by CORS.