CVE-2024-6839

Publication date 20 March 2025

Last updated 3 July 2025

Ubuntu priority

Cvss 3 Severity Score

corydolphin/flask-cors version 4.0.1 contains an improper regex path matching vulnerability. The plugin prioritizes longer regex patterns over more specific ones when matching paths, which can lead to less restrictive CORS policies being applied to sensitive endpoints. This mismatch in regex pattern priority allows unauthorized cross-origin access to sensitive data or functionality, potentially exposing confidential information and increasing the risk of unauthorized actions by malicious actors.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
python-flask-cors	25.04 plucky	Fixed 5.0.0-1ubuntu0.1
	24.10 oracular	Fixed 4.0.1-1ubuntu0.1
	24.04 LTS noble	Fixed 4.0.0-1ubuntu0.1~esm1
	22.04 LTS jammy	Fixed 3.0.9-2ubuntu0.1
	20.04 LTS focal	Fixed 3.0.8-2ubuntu0.1+esm1

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
python-flask-cors	Upstream: e970988 Upstream: https://github.com/corydolphin/flask-cors/pull/392 Upstream: 4ad56d6

Severity score breakdown

Parameter	Value
Base score	4.3 · Medium
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	Low
Integrity impact	None
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

References

Related Ubuntu Security Notices (USN)

USN-7612-1
Flask-CORS vulnerabilities
2 July 2025