Primary

Context

Prefect CORS Misconfiguration Vulnerability Allowing Unauthorized Data Access

Vulnerability

Patched

A Cross-Origin Resource Sharing (CORS) misconfiguration has been identified in Prefect version 2.20.2. This vulnerability allows unauthorized domains to access sensitive data, potentially leading to unauthorized database access, data leaks, service disruptions, and risks to data integrity.

Impact

Exploitation of this vulnerability could result in unauthorized access to the database, allowing attackers to download its contents, including sensitive user information and chat data. Such access could violate user privacy, disrupt services, and create risks of data manipulation or loss.

Reproduction

To reproduce this vulnerability, send a request to the Prefect server's API with an 'Origin' header set to a malicious domain. If the server responds with the requested data, the vulnerability is present.

Remediation

Users can update to Prefect version 3.0.3 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

3.1

exploitability

7.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

3.1

exploitability

7.7

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Prefect CORS Misconfiguration Vulnerability Allowing Unauthorized Data Access

Vulnerability

Impact

Reproduction

Remediation

Affected Products

prefecthq/prefect

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating