Description
Rob – W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets (SSRF).
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.4.4
References
- GHSA-r3jv-xfgx-gj24
- www.certik.com
- www.vulncheck.com
- CVE-2020-36851
- CWE-918
- CAPEC-310
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- [email protected] contains malware after npm account takeover - CVE-2025-59144
- Trix vulnerable to Cross-site Scripting on copy & paste - CVE-2025-46812
- Froala WYSIWYG editor allows cross-site scripting (XSS) - CVE-2024-51434
- Vue I18n Allows Prototype Pollution in `handleFlatJson` - CVE-2025-27597
- Tags:
- npm
- cors-anywhere
Anything's wrong? Let us know Last updated on September 26, 2025