Impact
The vulnerability lies in the CORSFilter used by the Helix‑REST server; it unconditionally returns Access‑Control‑Allow‑Origin: * together with Access‑Control‑Allow‑Credentials: true and echoes arbitrary preflight headers. This enables a remote attacker who can host a malicious web page to make cross‑origin requests from an authorized user’s browser and read or modify responses from administrative REST endpoints, potentially exposing configuration data or allowing unauthorized operations. The weakness is classified as CWE‑1385, a permissive cross‑origin policy.
Affected Systems
All installations of Apache Helix REST version 2.0.0 and earlier on any platform are affected, regardless of platform or deployment architecture. Users are recommended to upgrade to version 2.0.1, which replaces the permissive CORS filter with a more restrictive configuration.
Risk and Exploitability
The CVSS score is 7.5 and the EPSS score is below 1 %, indicating a moderate severity and low likelihood of exploitation at the moment. The vulnerability has not yet been listed in CISA’s KEV catalog. An attacker would need to persuade an authenticated user to visit a malicious page, but no authentication bypass is required. Once a user is tricked, the crossover requests can be conducted from the victim’s browser, enabling data theft or denial of service against administrative endpoints.
OpenCVE Enrichment