[Buildroot] [PATCH] package/python-flask-cors: security bump to v6.0.1

Peter Korsgaard peter at korsgaard.com
Wed Sep 3 16:16:16 UTC 2025 

>>>>> "Titouan" == Titouan Christophe via buildroot <buildroot at buildroot.org> writes:

 > This is a major version bump, because it could break user code that depends
 > on the (wrong) previous logic fixed by the new release

 > See the release notes:
 > - https://github.com/corydolphin/flask-cors/releases/tag/6.0.0
 > - https://github.com/corydolphin/flask-cors/releases/tag/6.0.1

 > This fixes the following vulnerabilties:
 > - CVE-2024-6839:
 >     corydolphin/flask-cors version 4.0.1 contains an improper regex path
 >     matching vulnerability. The plugin prioritizes longer regex patterns
 >     over more specific ones when matching paths, which can lead to less
 >     restrictive CORS policies being applied to sensitive endpoints. This
 >     mismatch in regex pattern priority allows unauthorized cross-origin
 >     access to sensitive data or functionality, potentially exposing
 >     confidential information and increasing the risk of unauthorized
 >     actions by malicious actors.
 >     https://www.cve.org/CVERecord?id=CVE-2024-6839

 > - CVE-2024-6844:
 >     A vulnerability in corydolphin/flask-cors version 4.0.1 allows for
 >     inconsistent CORS matching due to the handling of the '+' character in
 >     URL paths. The request.path is passed through the unquote_plus
 >     function, which converts the '+' character to a space ' '. This
 >     behavior leads to incorrect path normalization, causing potential
 >     mismatches in CORS configuration. As a result, endpoints may not be
 >     matched correctly to their CORS settings, leading to unexpected CORS
 >     policy application. This can cause unauthorized cross-origin access or
 >     block valid requests, creating security vulnerabilities and usability
 >     issues.
 >     https://www.cve.org/CVERecord?id=CVE-2024-6844

 > - CVE-2024-6866:
 >     corydolphin/flask-cors version 4.01 contains a vulnerability where the
 >     request path matching is case-insensitive due to the use of the
 >     `try_match` function, which is originally intended for matching hosts.
 >     This results in a mismatch because paths in URLs are case-sensitive,
 >     but the regex matching treats them as case-insensitive. This
 >     misconfiguration can lead to significant security vulnerabilities,
 >     allowing unauthorized origins to access paths meant to be restricted,
 >     resulting in data exposure and potential data leaks.
 >     https://www.cve.org/CVERecord?id=CVE-2024-6866

 > Signed-off-by: Titouan Christophe <titouan.christophe at mind.be>

Committed, thanks.

-- 
Bye, Peter Korsgaard

More information about the buildroot mailing list