CVE-2025-50864: 
JavaScript vulnerability analysis and mitigation

An Origin Validation Error in the elysia-cors library through version 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The vulnerability was discovered in August 2025 and assigned CVE-2025-50864 (NVD). The affected component is the CORS validation mechanism in the elysia-cors library, which is used for handling cross-origin requests in web applications.

The vulnerability stems from improper validation of the supplied origin in the CORS policy implementation. The library incorrectly validates origins by checking if the supplied origin is a substring of any domain in the site's CORS policy, rather than performing an exact match. For example, if a site's CORS policy specifies 'example.com' as allowed origin, malicious origins like 'notexample.com' or 'example.common.net' would be incorrectly whitelisted (Medium Blog). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

This vulnerability enables unauthorized access to user data on sites using the elysia-cors library for CORS validation. Attackers can bypass CORS restrictions and make cross-origin requests from unauthorized domains, potentially leading to unauthorized access to sensitive information (Medium Blog).

The vulnerability has been fixed in version 1.3.1 of the elysia-cors library. Users should upgrade to this version or later to address the vulnerability. The fix implements proper origin validation instead of the vulnerable substring matching approach (Medium Blog).

The vulnerability was discovered and reported by Raghav Agrawal, who reached out to the library maintainer SaltyAom. The maintainer acknowledged the bug and promptly released a fix in version 1.3.1 (Medium Blog).