CRITICAL
Rob--W / cors-anywhere
CVE published 2025-09-25
CVE-2020-36851
CVE-2020-36851 documents a Server-Side Request Forgery (SSRF) vulnerability in misconfigured instances of the cors-anywhere Node.js proxy library. When deployed without origin restrictions or authentication, the proxy permits unauthenticated external users to direct the server to issue HTTP requests to arbitrary destinations, including internal-only endpoints and cloud metadata services. The vulnerability [truncated]