External risk intelligence

Unauthenticated users can steal cloud credentials or access internal systems using this proxy.

CVE advisorySeverity: CRITICAL (CVSS 9.5)

CVE-2020-36851

Misconfigured cors-anywhere proxies can let attackers steal cloud credentials or access internal systems by tricking the proxy into making requests to any target.

5Halo Surface Signal

Server-Side Request Forgery

External exposure likelihood

Halo Surface Signal score for CVE-2020-36851

cors-anywhere is a Node.js reverse proxy designed specifically to be deployed as an unauthenticated, public-facing web API. Its primary function is to receive and forward HTTP requests from public client-side applications to bypass CORS restrictions, making the vulnerable proxy service exposed to the public internet by design in normal use.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

Misconfigured instances of the cors-anywhere proxy can be abused by unauthenticated users to make the server perform HTTP requests to any destination. This vulnerability allows attackers to access internal-only services, retrieve sensitive cloud credentials, and potentially gain full control of cloud resources.

  • Access internal systems.
  • Steal cloud credentials.
  • Compromise cloud resources.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending specially crafted requests to a misconfigured `cors-anywhere` proxy. This allows them to trick the proxy into making HTTP requests to arbitrary internal or external targets on their behalf. The attacker can then leverage this Server-Side Request Forgery (SSRF) to access sensitive internal endpoints, retrieve cloud instance credentials, or interact with internal APIs.

  • Publicly accessible proxy instance required.
  • Crafted request to proxy URL.
  • Target internal endpoints.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to exploit misconfigured `cors-anywhere` instances for Server-Side Request Forgery (SSRF). Attackers can force the proxy to make requests to arbitrary internal endpoints or cloud metadata services, potentially leading to credential theft, unauthorized access, or remote code execution. The design of `cors-anywhere` as a public-facing proxy increases its attractiveness for exploitation.

  • Publicly exposed by design.
  • Enables SSRF for credential theft.
  • Exploitable via crafted requests.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking and isolating any exposed `cors-anywhere` instances immediately, as they can be leveraged for Server-Side Request Forgery (SSRF) to steal cloud credentials or access internal services. Review logs for any signs of SSRF exploitation or unauthorized access attempts targeting internal endpoints or metadata services. If instances are not immediately isolatable, implement strict network egress filtering to prevent connections to internal IP ranges and metadata services.

  • Block all incoming traffic to exposed instances.
  • Implement strict egress filtering for internal IPs.
  • Monitor for anomalous outbound connections.

Frequently asked questions

What is CVE-2020-36851, and how does it impact software systems?

CVE-2020-36851 is a critical vulnerability affecting instances of the cors-anywhere proxy. Misconfigured instances can be exploited by unauthenticated users to make the server send HTTP requests to arbitrary destinations. This vulnerability can lead to accessing internal systems, stealing cloud credentials, and potentially compromising cloud resources.

How can attackers exploit the cors-anywhere proxy vulnerability (CWE-918, CWE-942)?

Attackers exploit this Server-Side Request Forgery (SSRF) vulnerability by sending specially crafted requests to a misconfigured cors-anywhere proxy. This tricks the proxy into making requests to arbitrary internal or external targets on the attacker's behalf. Access to internal-only endpoints and cloud metadata services is possible, potentially revealing sensitive information.

What is the trigger path and scope for exploiting CVE-2020-36851?

Exploitation requires a publicly accessible cors-anywhere proxy instance. The trigger path involves sending a crafted request to the proxy's URL, targeting internal endpoints. By forwarding requests and headers, the proxy can be made to interact with internal services and metadata endpoints, bypassing intended access controls.

How relevant is the cors-anywhere proxy vulnerability (CVE-2020-36851) in the current threat landscape?

This vulnerability is highly relevant due to the design of cors-anywhere as a public-facing proxy, often exposed to the internet by design. The Halo Surface Signal rates its likelihood as 'Very likely' to be exploited because it enables SSRF for credential theft and unauthorized access to internal systems. Exploitation is possible via crafted requests to misconfigured instances.

What are the recommended operational fixes for the cors-anywhere proxy vulnerability?

To mitigate this vulnerability, immediately block and isolate any exposed cors-anywhere instances. Implement strict network egress filtering to prevent connections to internal IP ranges and metadata services. Monitor for signs of SSRF exploitation or unauthorized access attempts. Review logs for anomalous outbound connections, and if possible, remove support for unsafe HTTP methods/headers.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified