CVE-2020-36851

Name of the Vulnerable Software and Affected Versions cors-anywhere (affected versions not specified)

Description Instances of cors-anywhere configured as an open proxy permit unauthenticated external users to initiate HTTP requests to arbitrary targets, leading to Server-Side Request Forgery (SSRF). The proxy forwards requests and headers, potentially granting access to internal-only endpoints and link-local metadata services. This can result in the retrieval of instance role credentials or other sensitive metadata, and interaction with internal APIs and services. Exploitation involves sending crafted requests to the proxy with the target resource encoded in the URL. Deployments that forward arbitrary methods and headers, including PUT, may allow exploitation of IMDSv2 workflows and access to internal management APIs. Successful exploitation can lead to theft of cloud credentials, unauthorized access to internal services, remote code execution, privilege escalation, data exfiltration, and full compromise of cloud resources.

Recommendations Restrict the proxy to trusted origins or require authentication. Whitelist allowed target hosts. Prevent access to link-local and internal IP ranges. Remove support for unsafe HTTP methods and headers. Enable cloud provider mitigations. Deploy network-level protections.