Description
sanic-cors version 2.2.0 and prior contains an improper regular expression in the try_match() function in sanic_cors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain unauthorized access to cross-origin requests for authenticated resources.
Published: 2026-06-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Sanic‑Cors library, specifically versions 2.2.0 and earlier, contains an improper regular expression in the try_match() function. The regex uses re.match without an end‑anchor, allowing a string that starts with a trusted origin to be considered a match. An attacker can craft a domain name that begins with an approved origin string, thereby bypassing the CORS origin allowlist and gaining unauthorized access to cross‑origin requests for resources that require authentication. This vulnerability is a form of improper authorization, first identified as CWE‑285.

Affected Systems

All deployments that use Sanic‑Cors library version 2.2.0 or older. The library is typically employed in Sanic web applications that implement CORS handling. Any application that relies on the default CORS allowlist mechanism of Sanic‑Cors falls within the affected scope.

Risk and Exploitability

The vulnerability actively compromises the integrity of CORS policies, permitting an attacker to impersonate a trusted origin. While no EPSS score is available and the vulnerability is not listed in CISA KEV, the absence of end‑anchoring in the regex makes it straightforward for an attacker who can register or introduce a domain prefixed by an allowed origin. No additional prerequisites are required beyond the ability to submit a domain that begins with a whitelisted origin. The CVSS score is not provided, but the attack surface is significant and exploitable in typical deployment scenarios.

Generated by OpenCVE AI on June 5, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sanic‑Cors to any release newer than 2.2.0 if available
  • Modify the try_match regular expression to use re.fullmatch or add an end‑anchor to ensure complete matches
  • Ensure the CORS origin allowlist is explicitly defined and periodically review it for excessive prefixes, restricting it to only those origins that are genuinely trusted

Generated by OpenCVE AI on June 5, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title CORS Allowlist Bypass in Sanic‑Cors due to Improper Regex
Weaknesses CWE-285

Fri, 05 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description sanic-cors version 2.2.0 and prior contains an improper regular expression in the try_match() function in sanic_cors/core.py that uses re.match without end-anchoring. This allows an attacker to bypass CORS origin allowlists by registering a domain that begins with a trusted origin string, to gain unauthorized access to cross-origin requests for authenticated resources.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-05T13:56:15.693Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-37737

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-05T15:16:51.720

Modified: 2026-06-05T16:07:55.053

Link: CVE-2026-37737

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T15:30:13Z

Weaknesses