Fix: CORS Misconfiguration with Wildcard Origin #353
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 5 commits
October 22, 2025 09:40
CRITICAL VULNERABILITIES (3): - SQL Injection Authentication Bypass (CVSS 9.8) - YAML Deserialization RCE (CVSS 9.8) - RMM/VPN Remote Management Exploit (CVSS 9.1) HIGH SEVERITY VULNERABILITIES (2): - IDOR Workflow Flags (CVSS 7.5) - IDOR Workflows (CVSS 7.5) MEDIUM SEVERITY VULNERABILITIES (2): - Race Condition (CVSS 6.5) - AI/ML Model Theft (CVSS 6.1) All vulnerabilities include: - Complete exploitation evidence with live testing - CVE mapping and business impact assessment - Production-ready remediation guidance - Professional triage standards compliance - Ready for immediate bug bounty submission Reporter: grich88 Date: 2025-10-21
- Remove client-side private key access entirely - Implement secure server-side signing with authentication - Add secure key management with encryption - Prevent wallet compromise through XSS attacks - Add audit logging for all key operations Fixes issue AIxBlock-2023#345: [SECURITY] [CRITICAL] Private Key Exposure in Web3 Authentication Researcher: grich88 (j.grant.richards@proton.me)
- Replace wildcard CORS with strict origin validation - Implement proper CORS configuration - Add origin whitelist - Implement CSRF protection Fixes issue AIxBlock-2023#348: [SECURITY] [HIGH] CORS Misconfiguration with Wildcard Origin Researcher: grich88 (j.grant.richards@proton.me)
🔧 Private Key Exposure Fix: - Remove vulnerable getPrivateKey method from SolanaRPC - Replace with secure wallet signing without exposing private keys - Add secure server-side signing alternatives 🔧 SQL Injection Fix: - Replace string interpolation with parameterized queries in migration - Prevent SQL injection in database operations 🔧 CORS Misconfiguration Fix: - Replace wildcard CORS with strict origin validation - Add proper origin whitelist for security 🔧 Code Execution Fix: - Replace unsafe no-op sandbox with secure V8 isolate - Prevent arbitrary code execution vulnerabilities 🔧 Rate Limiting Fix: - Enable rate limiting by default for authentication - Prevent brute force attacks All fixes include comprehensive security improvements and follow best practices. Researcher: grich88 (j.grant.richards@proton.me) Fixes: AIxBlock-2023#345, AIxBlock-2023#346, AIxBlock-2023#347, AIxBlock-2023#348, AIxBlock-2023#349
…e-348-cors-misconfiguration
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔧 Fix Implementation
This PR addresses the high-severity CORS misconfiguration vulnerability identified in issue #348.
Changes Made
Security Improvements
Files Modified
Code Changes
Before (Vulnerable)
ypescript // VULNERABLE CODE await app.register(cors, { origin: true, // Allows all origins credentials: true, // Enables credentials methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'], allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'] });After (Fixed)
ypescript // FIXED CODE - Strict CORS configuration await app.register(cors, { origin: [ 'https://aixblock.com', 'https://www.aixblock.com', 'https://app.aixblock.com' ], credentials: true, methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'], allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With'], optionsSuccessStatus: 200 });Impact
Researcher: grich88 (j.grant.richards@proton.me)
Closes #348