Pypi · @Elysiajs/Cors · CVE-2025-50864
Name of the Vulnerable Software and Affected Versions:
elysia-cors versions through 1.3.0
Description:
An origin validation error in the elysia-cors library allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site’s CORS policy, rather than performing an exact match. For example, a malicious origin like “notexample.com” or “example.common.net” is whitelisted when the site’s CORS policy specifies “example.com”. This enables unauthorized access to user data on sites using the elysia-cors library for CORS validation.
Recommendations:
Update to a version of elysia-cors beyond 1.3.0.