CVE-2025-57755: 
JavaScript vulnerability analysis and mitigation

CVE-2025-57755 affects claude-code-router, a tool designed for routing Claude Code requests to different models and customizing requests. The vulnerability was discovered and disclosed on August 21, 2025, impacting versions prior to 1.0.34. The issue stems from improper Cross-Origin Resource Sharing (CORS) configuration that could potentially expose sensitive user credentials (GitHub Advisory, NVD).

The vulnerability is characterized by an improper Cross-Origin Resource Sharing (CORS) configuration that could allow unauthorized access from untrusted domains. The issue has been assigned a CVSS v4.0 base score of 8.1 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U. The vulnerability has been classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability could allow attackers to steal API Keys or equivalent credentials, potentially leading to account abuse, quota exhaustion, and unauthorized access to sensitive data. The exposure of credentials to untrusted domains creates a significant security risk for affected systems (GitHub Advisory).

The vulnerability has been patched in version 1.0.34 of claude-code-router. Users are advised to upgrade to this version to address the CORS configuration issue (GitHub Advisory).