MeTube CORS Policy Vulnerability Allowing Cross-Origin Requests

A vulnerability in MeTube by alexta69, affecting versions prior to 2026.04.09, allows for a permissive Cross-Origin Resource Sharing (CORS) policy. The issue arises in the 'on_prepare' function of 'app/main.py', where the 'Origin' header is reflected into the 'Access-Control-Allow-Origin' response without validation. This flaw enables remote cross-origin requests from untrusted domains, potentially leading to unauthorized actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for cross-origin request forgery. An attacker can initiate downloads, overwrite cookies, delete download history, create subscriptions, and, under certain conditions, execute arbitrary commands on the server via remote code execution.

Reproduction

To reproduce this vulnerability, upload the provided proof-of-concept HTML file to a server. While MeTube is running, access the HTML file in a browser. Click the button, which will trigger a cross-origin download on the MeTube instance.

Remediation

Users are advised to upgrade to MeTube version 2026.04.10, which addresses the CORS vulnerability by implementing a proper allowlist. The latest version can be downloaded from the GitHub repository.