Wiz
Vulnerability DatabaseCVE-2020-36851

CVE-2020-36851
JavaScript vulnerability analysis and mitigation

Overview

Rob--W/cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets, identified as CVE-2020-36851. The vulnerability affects all versions of the cors-anywhere package and was disclosed on September 25, 2025. The vulnerability stems from the proxy's failure to block requests to RFC 1918 IP ranges and Cloud Instance Metadata Services (IDMS) (GHSA Advisory).

Technical details

The vulnerability arises because the project does not ship with a default deny list for RFC 1918 IP ranges or Cloud IDMS systems. The proxy forwards requests and headers, allowing attackers to reach internal-only endpoints, link-local metadata services, and interact with internal APIs. The vulnerability has received a CVSS v4.0 base score of 9.5 (Critical) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and CWE-942 (Permissive Cross-domain Policy with Untrusted Domains) (GHSA Advisory).

Impact

Successful exploitation can result in theft of cloud credentials, unauthorized access to internal services, remote code execution or privilege escalation (depending on reachable backends), data exfiltration, and full compromise of cloud resources. For example, in a GCP environment, attackers can steal GCP access tokens by making requests to metadata.google.internal (GHSA Advisory).

Mitigation and workarounds

Mitigation strategies include: restricting the proxy to trusted origins or authentication, whitelisting allowed target hosts, preventing access to link-local and internal IP ranges, removing support for unsafe HTTP methods/headers, enabling cloud provider mitigations, and deploying network-level protections (NVD).

Community reactions

The vulnerability was originally discovered by the research team at CertiK and later rediscovered by Jonathan Leitschuh at Socket, who coordinated the CVE assignment. The issue has been actively discussed in the project's GitHub repository, with multiple related issues being opened to address security concerns and documentation improvements (GHSA Advisory).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-59834CRITICAL9.8
  • JavaScriptJavaScript
  • adb-mcp
NoNoSep 25, 2025
CVE-2020-36851CRITICAL9.5
  • JavaScriptJavaScript
  • cors-anywhere
NoNoSep 25, 2025
CVE-2025-59936CRITICAL9.4
  • JavaScriptJavaScript
  • get-jwks
NoYesSep 27, 2025
CVE-2025-59831HIGH8.7
  • JavaScriptJavaScript
  • git-commiters
NoYesSep 25, 2025
CVE-2025-59845HIGH8.2
  • JavaScriptJavaScript
  • @apollo/explorer
NoYesSep 26, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo