CVE-2023-49803

Name of the Vulnerable Software and Affected Versions @koa/cors versions prior to 5.0.0

Description The @koa/cors middleware for the koa web framework in Node.js has a security issue where it returns an Access-Control-Allow-Origin header with the value of the origin from the request if an allowed origin is not provided. This behavior disables the Same Origin Policy (SOP), a crucial browser security element, potentially causing serious security threats to users. The issue is particularly concerning if users are not aware of the risks associated with this behavior, especially when used in production applications.

Recommendations For versions prior to 5.0.0, update to version 5.0.0 to fix the vulnerability. As a temporary workaround, consider emphasizing the risks associated with the current behavior in the documentation, especially for users who may not be aware of the security implications. If the middleware is used exclusively for prototypes and not for production applications, it is essential to indicate the expected behavior and associated risks clearly in the documentation.