F-2025-0014·configuration
Overly permissive CORS configuration
TL;DR
The CORS policy permitted broad cross-origin access that did not match the intended threat model, increasing exposure of the Router API to untrusted callers.
Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description
Description
The Router API's CORS configuration allowed broader cross-origin access than necessary. Combined with M-01 (the open-proxy issue) and the missing security headers (L-08), the overall posture was permissive enough that careful tightening was warranted.
03Section · Recommendation
Recommendation
Restrict Access-Control-Allow-Origin to a closed list of trusted origins. Avoid reflecting the Origin header. If credentials are required, the origin must be a specific fixed value, not a wildcard.
Initia: Acknowledged. Pashov Audit Group: Acknowledged.