{"id":"CVE-2025-50864","details":"An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather than performing an exact match. For example, a malicious origin like \"notexample.com\", \"example.common.net\" is whitelisted when the site's CORS policy specifies \"example.com.\" This vulnerability enables unauthorized access to user data on sites using the elysia-cors library for CORS validation.","aliases":["GHSA-f9qj-4c5x-cpcw"],"modified":"2026-04-02T12:51:53.683897Z","published":"2025-08-20T15:15:32.990Z","references":[{"type":"WEB","url":"https://github.com/elysiajs/elysia-cors/blob/main/src/index.ts"},{"type":"WEB","url":"https://github.com/elysiajs/elysia-cors/tree/main"},{"type":"WEB","url":"https://medium.com/@raghavagrawal_23036/cors-bypass-in-popular-opensource-library-ad27fb41e16a"},{"type":"WEB","url":"http://elysiajs.com"},{"type":"FIX","url":"https://github.com/elysiajs/elysia-cors/commit/9b9eb92e32a7a4b43b6d5108668941701c33e221"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/elysiajs/elysia-cors","events":[{"introduced":"0"},{"fixed":"9b9eb92e32a7a4b43b6d5108668941701c33e221"}]}],"versions":["1.1.1","1.2.0","1.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-50864.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}