An update for python-Flask-Cors is now available for openEuler-24.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1938 Final 1.0 1.0 2025-08-01 Initial 2025-08-01 2025-08-01 openEuler SA Tool V1.0 2025-08-01 python-Flask-Cors security update An update for python-Flask-Cors is now available for openEuler-24.03-LTS A Flask extension for handling Cross Origin Resource Sharing (CORS), making cross-origin AJAX possible. Security Fix(es): corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.(CVE-2024-6839) A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues.(CVE-2024-6844) corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks.(CVE-2024-6866) An update for python-Flask-Cors is now available for openEuler-24.03-LTS. openEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Medium python-Flask-Cors https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1938 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6839 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6844 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-6866 https://nvd.nist.gov/vuln/detail/CVE-2024-6839 https://nvd.nist.gov/vuln/detail/CVE-2024-6844 https://nvd.nist.gov/vuln/detail/CVE-2024-6866 openEuler-24.03-LTS python-Flask-Cors-6.0.1-1.oe2403.src.rpm python-Flask-Cors-help-6.0.1-1.oe2403.noarch.rpm python3-Flask-Cors-6.0.1-1.oe2403.noarch.rpm corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors. 2025-08-01 CVE-2024-6839 openEuler-24.03-LTS Medium 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N python-Flask-Cors security update 2025-08-01 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1938 A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues. 2025-08-01 CVE-2024-6844 openEuler-24.03-LTS Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N python-Flask-Cors security update 2025-08-01 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1938 corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks. 2025-08-01 CVE-2024-6866 openEuler-24.03-LTS Medium 5.3 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N python-Flask-Cors security update 2025-08-01 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1938