cors-anywhere-0.4.4.tgz: 2 vulnerabilities (highest severity is: 10.0) reachable #15
Description
Vulnerable Library - cors-anywhere-0.4.4.tgz
CORS Anywhere is a reverse proxy which adds CORS headers to the proxied request. Request URL is taken from the path
Library home page: https://registry.npmjs.org/cors-anywhere/-/cors-anywhere-0.4.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 2e8e5197e265211790961302633a7091296b414c
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (cors-anywhere version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2020-36851 |  Critical |
10.0 | Not Defined | 0.5% | cors-anywhere-0.4.4.tgz | Direct | N/A | ❌ |
|
| WS-2020-0091 |  High |
7.5 | Not Defined | http-proxy-1.11.1.tgz | Transitive | N/A* | ❌ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-36851
Vulnerable Library - cors-anywhere-0.4.4.tgz
CORS Anywhere is a reverse proxy which adds CORS headers to the proxied request. Request URL is taken from the path
Library home page: https://registry.npmjs.org/cors-anywhere/-/cors-anywhere-0.4.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- ❌ cors-anywhere-0.4.4.tgz (Vulnerable Library)
Found in HEAD commit: 2e8e5197e265211790961302633a7091296b414c
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
vulnparty-server-0.1.0/cors-anywhere.js (Application)
-> ❌ cors-anywhere-0.4.4/lib/cors-anywhere.js (Vulnerable Component)
Vulnerability Details
Rob -- W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets (SSRF). Because the proxy forwards requests and headers, an attacker can reach internal-only endpoints and link-local metadata services, retrieve instance role credentials or other sensitive metadata, and interact with internal APIs and services that are not intended to be internet-facing. The vulnerability is exploitable by sending crafted requests to the proxy with the target resource encoded in the URL; many cors-anywhere deployments forward arbitrary methods and headers (including PUT), which can permit exploitation of IMDSv2 workflows as well as access to internal management APIs. Successful exploitation can result in theft of cloud credentials, unauthorized access to internal services, remote code execution or privilege escalation (depending on reachable backends), data exfiltration, and full compromise of cloud resources. Mitigation includes: restricting the proxy to trusted origins or authentication, whitelisting allowed target hosts, preventing access to link-local and internal IP ranges, removing support for unsafe HTTP methods/headers, enabling cloud provider mitigations, and deploying network-level protections.
Publish Date: 2025-09-25
URL: CVE-2020-36851
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.5%
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
WS-2020-0091
Vulnerable Library - http-proxy-1.11.1.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.11.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- cors-anywhere-0.4.4.tgz (Root Library)
- ❌ http-proxy-1.11.1.tgz (Vulnerable Library)
Found in HEAD commit: 2e8e5197e265211790961302633a7091296b414c
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
vulnparty-server-0.1.0/cors-anywhere.js (Application)
-> cors-anywhere-0.4.4/lib/cors-anywhere.js (Extension)
-> http-proxy-1.11.1/index.js (Extension)
-> ❌ http-proxy-1.11.1/lib/http-proxy.js (Vulnerable Component)
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-14
Fix Resolution: http-proxy - 1.18.1