Full Report
Private Network Access (PNA) is a new browser security feature to prevent direct access to local networks. Segmenting the local network is important for preventing CSRF-like attacks to compromise a users network. The mechanism for fixing this is Access-Control-Allow-Private-Network header. If this header is not included for a particular website, then it will reject the local network request. In Flask, the default for this header was true. This effectively removed the protections of the new PNA specification. So, it just sets the default to false now.
Analysis Summary
# Vulnerability: Default Permissive Private Network Access in Flask-CORS
## CVE Details
- **CVE ID:** CVE-2024-6221
- **CVSS Score:** 8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
- **CWE:** CWE-284 (Improper Access Control)
## Affected Systems
- **Products:** Flask-CORS (Python package)
- **Versions:** All versions prior to 4.0.2 (specifically 4.0.1 and earlier).
- **Configurations:** Any Flask application utilizing the Flask-CORS extension where the server is hosted on a private or internal network.
## Vulnerability Description
Flask-CORS previously set the `Access-Control-Allow-Private-Network` header to `true` by default without providing a configuration option to toggle it. This header is part of the Private Network Access (PNA) browser security specification.
By defaulting to `true`, the library effectively bypassed browser protections designed to prevent external public websites from making cross-origin requests to internal/private network resources. This flaw circumvents the security mechanism intended to block CSRF-like attacks targeting local services or internal infrastructure.
## Exploitation
- **Status:** PoC availability indicated (via Huntr bounty/security reports); no confirmed widespread exploitation in the wild reported.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (External actors can bypass PNA restrictions to access data from private network resources).
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
- **Flask-CORS 4.0.2:** This version updates the default value of the `Access-Control-Allow-Private-Network` header to `false`, aligning with secure-by-default principles.
### Workarounds
- Manually override the response headers in the Flask application to ensure `Access-Control-Allow-Private-Network` is not set to `true` if an update to the library is not immediately possible.
## Detection
- **Indicators of Compromise:** Review web server response headers for `Access-Control-Allow-Private-Network: true` on internal services that should not be reachable by public web origins.
- **Detection Methods and Tools:** Use browser developer tools or automated security scanners (e.g., ZAP, Burp Suite) to inspect the CORS headers returned by internal Flask applications.
## References
- hxxps://nvd.nist.gov/vuln/detail/CVE-2024-6221
- hxxps://github.com/corydolphin/flask-cors/releases
- hxxps://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d
- hxxps://github.com/corydolphin/flask-cors/commit/c8514760cf03fcce16d77f6db7007aad429c4548