Skip to content
← Back to Vulnerability Database
HIGHCWE-942API Security

CORS Wildcard Misconfiguration

Description

Your API responds with Access-Control-Allow-Origin: *, allowing any website to make authenticated requests to your API.

How Vezraa Detects It

We send an OPTIONS preflight request and check the Access-Control-Allow-Origin response header.

Real-World Impact

Malicious websites can make API requests using the victim's cookies (if credentials are included), leading to data theft and account actions.

Fix Example

// BAD — allows any origin
app.use(cors({ origin: '*' }));

// GOOD — restrict to your domain
app.use(cors({ origin: 'https://myapp.com' }));

Affected Stacks

ExpressFastifyNext.js APIAll backends

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

CORS Wildcard Misconfiguration — Vulnerability Database | Vezraa