PatchSiren

PatchSiren cyber security CVE debrief

CVE-2020-36851 Rob--W / cors-anywhere CVE debrief

CVE-2020-36851 documents a Server-Side Request Forgery (SSRF) vulnerability in misconfigured instances of the cors-anywhere Node.js proxy library. When deployed without origin restrictions or authentication, the proxy permits unauthenticated external users to direct the server to issue HTTP requests to arbitrary destinations, including internal-only endpoints and cloud metadata services. The vulnerability stems from the proxy's core functionality: forwarding requests and headers to user-specified targets. This behavior, when exposed to untrusted traffic, enables attackers to reach link-local addresses (such as 169.254.169.254 for AWS IMDS), retrieve instance role credentials, and interact with internal APIs not intended for internet exposure. The proxy's support for arbitrary HTTP methods and headers—including PUT requests—extends the attack surface to IMDSv2 workflows and internal management interfaces that may accept state-changing operations. Successful exploitation can result in cloud credential theft, unauthorized access to internal services, data exfiltration, and potentially remote code execution or privilege escalation depending on reachable backend capabilities. The issue was publicly disclosed through multiple GitHub issue reports and subsequently analyzed by security researchers who documented the widespread nature of open cors-anywhere deployments. The vulnerability status is currently marked as Deferred in the National Vulnerability Database.

Vendor
Rob--W / cors-anywhere
Product
Unknown
CVSS
CRITICAL 9.5
CISA KEV
Not listed in stored evidence
Original CVE published
2025-09-25
Original CVE updated
2026-05-26
Advisory published
2025-09-25
Advisory updated
2026-05-26

Who should care

Organizations operating cors-anywhere instances in production or exposed network segments; development teams using cors-anywhere for local testing without network isolation; cloud security teams managing environments where developers may deploy proxy services; security operations teams monitoring for SSRF exploitation patterns; and infrastructure teams responsible for network segmentation and cloud metadata service protection.

Technical summary

The cors-anywhere library provides a CORS proxy for development purposes. When deployed without the intended origin and target restrictions, it functions as an open HTTP proxy. An attacker sends a request to the proxy with the target URL encoded in the path or query parameters; the proxy forwards this request to the specified destination, returning the response to the attacker. This mechanism bypasses same-origin policies and network segmentation intended to protect internal resources. The proxy's forwarding of arbitrary headers enables attackers to satisfy IMDSv2 session token requirements, while support for PUT and other methods permits interaction with REST APIs that may not implement adequate authentication for internal traffic. The vulnerability is configuration-dependent rather than a code defect, affecting deployments that omit the library's built-in access controls.

Defensive priority

critical

Recommended defensive actions

  • Audit all cors-anywhere deployments for open-proxy configurations lacking origin restrictions or authentication requirements
  • Implement strict origin whitelisting to permit proxy requests only from trusted, authorized sources
  • Configure target host restrictions to prevent proxying to link-local addresses (169.254.0.0/16), metadata services, and internal IP ranges
  • Disable or restrict HTTP methods beyond GET to prevent state-changing operations against internal APIs
  • Remove or filter sensitive headers that could facilitate credential exfiltration or authentication bypass
  • Deploy network-level segmentation to isolate proxy instances from internal services and cloud metadata endpoints
  • Enable cloud provider IMDS protections including hop limit restrictions and authentication requirements
  • Monitor proxy access logs for anomalous request patterns targeting internal addresses or metadata services

Evidence notes

The vulnerability description and technical details are derived from the NVD source record and associated references. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H) indicates network attack vector with low attack complexity, no privileges required, and high impacts to confidentiality, integrity, and availability of subsequent systems. Weakness classifications include CWE-918 (Server-Side Request Forgery) and CWE-942 (Overly Permissive Cross-domain Whitelist). The source references include multiple GitHub issues on the cors-anywhere repository, a SocketDev security advisory, and analytical content from CertiK and VulnCheck. The vendor field indicates low confidence with 'Unknown Vendor' classification and CertiK identified as a reference domain candidate, suggesting the affected software is the open-source cors-anywhere project rather than a commercial vendor product.

Official resources

2025-09-25