CVE-2026-37737
Improper Regex in Sanic-CORS Allowlist Bypass
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ashleysommer | sanic-cors | to 2.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-37737 is a vulnerability in the sanic-cors library (version 2.2.0 and prior) related to improper validation of CORS origin allowlists. The issue arises because the library uses a regular expression function, re.match(), without anchoring the end of the string when checking if an Origin header matches an allowed origin.
This means that if an attacker registers a domain that starts with a trusted origin string (for example, a domain like https://trusted.com.attacker.io when https://trusted.com is trusted), the library will incorrectly allow this malicious domain. As a result, the attacker can bypass the CORS origin allowlist and gain unauthorized access to cross-origin requests for authenticated resources.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass CORS restrictions by manipulating the Origin header in web requests. By registering a domain that begins with a trusted origin string, the attacker can have their origin reflected in the Access-Control-Allow-Origin response header.
This enables the attacker's web page to read authenticated cross-origin responses that should be restricted, potentially exposing sensitive data to unauthorized parties.
The vulnerability has a CVSS 3.1 base score of 6.5 (Medium), indicating it is network-reachable, has low attack complexity, and can have a high confidentiality impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by examining the CORS origin allowlist configuration in the sanic-cors library, specifically checking if the origin validation uses an unanchored regular expression with re.match().
To detect potential exploitation attempts on your network or system, you can monitor HTTP requests for Origin headers that start with a trusted domain but include additional suffixes, such as 'https://trusted.com.attacker.io'.
Suggested commands include using network traffic inspection tools like tcpdump or Wireshark to filter HTTP requests with suspicious Origin headers, for example:
- tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'Origin: https://trusted.com'
- Using web server logs, grep for Origin headers that start with trusted domains but have extra characters, e.g., grep -i 'Origin: https://trusted.com' access.log
Additionally, reviewing the source code of sanic-cors/core.py to check if re.match() is used without end-anchoring in the try_match() function can help confirm if the vulnerable version is in use.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of regex-based origin allowlists that use unanchored patterns.
Prefer exact-string allowlists for CORS origins rather than regex patterns to prevent bypasses.
If you maintain the sanic-cors source code, update the origin matching logic by replacing re.match() with re.fullmatch() or explicitly adding an end anchor (\Z) to the regex pattern in the try_match() function within sanic_cors/core.py (lines 306 and 308).
Monitor for updates or patches from the sanic-cors maintainers and apply them as soon as they become available.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in sanic-cors allows an attacker to bypass CORS origin allowlists, potentially enabling unauthorized cross-origin requests to access authenticated resources. This unauthorized access could lead to exposure of sensitive data.
Such unauthorized data exposure can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Specifically, if an application using the vulnerable sanic-cors library handles personal or protected health information, this flaw could result in unauthorized disclosure, violating confidentiality requirements mandated by these standards.