flask-cors icon indicating copy to clipboard operation
flask-cors copied to clipboard
verified publisher icon corydolphin

GHSA-hxwh-jpp2-84pm

Open nicolaschaillan opened this issue 1 year ago • 2 comments

Hello,

Is there an ETA for fixing GHSA-hxwh-jpp2-84pm ?

https://github.com/advisories/GHSA-hxwh-jpp2-84pm

Thank you

nicolaschaillan avatar Aug 21 '24 01:08 nicolaschaillan

Opened a PR with a backwards compatible fix (partial fix I guess) in https://github.com/corydolphin/flask-cors/pull/363

The real fix is a breaking change and requires a new major version - @corydolphin to advise how to deal with this.

adrianosela avatar Aug 21 '24 20:08 adrianosela

@corydolphin any update on this please? This is quite urgent or we will need to move to another lib unfortunately

nicolaschaillan avatar Aug 23 '24 14:08 nicolaschaillan

@corydolphin Could you please look into this at your earliest convenience? As this code is currently in production, addressing this issue is quite urgent.

SaleelAhsanM avatar Aug 30 '24 09:08 SaleelAhsanM

Fixed in 4.0.2 and defaulted to False in 5.0.0

corydolphin avatar Aug 31 '24 00:08 corydolphin

5.0.0 is also showing in the Affected versions list.

https://osv.dev/vulnerability/PYSEC-2024-71

SaleelAhsanM avatar Aug 31 '24 08:08 SaleelAhsanM

Not in the CVE though ; and Github also considers 5.0 to be safe https://github.com/advisories/GHSA-hxwh-jpp2-84pm

CharlesPerrotMinot avatar Sep 04 '24 00:09 CharlesPerrotMinot