Description
Rob – W / cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets (SSRF).
Recommendation
No fix is available yet. Followings are affected versions:
- <= 0.4.4
References
- GHSA-r3jv-xfgx-gj24
- www.certik.com
- www.vulncheck.com
- CVE-2020-36851
- CWE-918
- CAPEC-310
- OWASP 2021-A10
- OWASP 2021-A6
Related Issues
- Axios vulnerable to Server-Side Request Forgery - CVE-2020-28168
- RSSHub vulnerable to Server-Side Request Forgery - CVE-2024-27927
- Server-Side Request Forgery in @uppy/companion - CVE-2020-8205
- Server-Side Request Forgery in @uppy/companion - @uppy/companion - CVE-2020-8135
You might also like:
- Tags:
- npm
- cors-anywhere
Anything's wrong? Let us know
Last updated on September 26, 2025