CVE-2025-57755
BaseFortify
Publication date: 2025-08-21
Last updated on: 2025-08-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| musistudio | claude-code-router | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-942 | The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in claude-code-router is caused by improper Cross-Origin Resource Sharing (CORS) configuration. It allows untrusted domains to potentially access user API Keys or equivalent credentials, which should be protected. Attackers can exploit this misconfiguration to steal credentials and misuse them.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to attackers stealing your API credentials, abusing your accounts, exhausting your usage quotas, or accessing sensitive data associated with your account.
What immediate steps should I take to mitigate this vulnerability?
Update claude-code-router to version 1.0.34 or later, where the improper CORS configuration has been patched to prevent exposure of user API keys or credentials.