CVE-2025-50864

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions: elysia-cors versions through 1.3.0

Description: An origin validation error in the elysia-cors library allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site’s CORS policy, rather than performing an exact match. For example, a malicious origin like “notexample.com” or “example.common.net” is whitelisted when the site’s CORS policy specifies “example.com”. This enables unauthorized access to user data on sites using the elysia-cors library for CORS validation.

Recommendations: Update to a version of elysia-cors beyond 1.3.0.

Fix

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-178CWE-346

Related Identifiers

CVE-2025-50864

GHSA-F9QJ-4C5X-CPCW

Affected Products

@Elysiajs/Cors

CVE-2025-50864

Weakness Enumeration

Related Identifiers

Affected Products

References · 14