F-2026-0006·permissive-cors

Overly Permissive CORS Policy

Fixedpentestbackendapigithub.com/bloom-art/api
TL;DR

CORS policy reflected all origins with credentials enabled, enabling cross-site request forgery and data exfiltration for cookie-authenticated endpoints. Primary auth uses Authorization headers so practical impact was limited.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

typescript
// bootstrap.utils.ts L134-L140
function initCors(app: NestExpressApplication): void {
  app.enableCors({
    origin: true,            // reflects ALL origins
    methods: "GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS",
    credentials: true,       // allows cookies cross-origin
  });
}

Frontend / on-chain mitigation analysis: CORS is a server-side policy, no frontend or on-chain control can mitigate this. The primary customer API authentication uses Authorization headers (not automatically attached cross-origin by browsers), reducing practical CSRF risk.

03Section · Impact

Impact

Cross-site request forgery and data exfiltration for cookie-authenticated endpoints. Practical impact is currently limited because the primary auth uses Authorization headers.

04Section · Recommendation

Recommendation

Replace origin: true with an explicit allowlist of trusted origins.

05Section · Resolution

Resolution

Fixed by infrastructure deletion in PR #3706, the dead session stack (express-session, cookie-parser, connect-redis) was removed entirely and CORS is now { origin: true, credentials: false }.

Status
Fixed
ZEALYNX SECURITY · published 2026-04-29
F-2026-0006

oog
zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx