The Sanic-Cors library, up to and including version 2.2.0, contains an improper regular expression inside the try_match() function in sanic_cors/core.py. The regex uses re.match without an end‑anchor, meaning any string that starts with a trusted origin string will be accepted as a match. This flaw allows an attacker to craft a domain name that prefixes an approved origin, thereby bypassing the CORS origin allowlist and gaining unauthorized access to cross‑origin requests for resources that require authentication. The deficiency is a form of improper authorization compounded by weaknesses in the authentication boundary (CWE‑346) and cryptographic token handling (CWE‑625).

Any project that incorporates Sanic-Cors 2.2.0 or earlier, typically Sanic web applications that use the library’s default CORS handling, is vulnerable. The impact applies regardless of the specific deployment environment as long as the affected library version is present.

The static nature of the regex flaw makes exploitation straightforward for an adversary who can register or otherwise introduce a domain that prefixes an allowed origin. While no EPSS score is available, the medium CVSS score of 6.5 reflects the attacker's ability to bypass security boundaries without needing privileged access. The vulnerability is not listed in CISA’s KEV catalog, but the absence of proper end‑anchoring in the regex represents a significant risk in typical deployment contexts.