Open Proxy Misconfiguration in CORS-Anywhere by Rob W
CVE-2020-36851

9.5CRITICAL

Key Information:

Vendor

Rob--w / Cors-anywhere

Status
Rob--w / Cors-anywhere
Vendor
CVE Published:
25 September 2025

What is CVE-2020-36851?

The CORS-Anywhere project has a misconfiguration that allows unauthorized external users to exploit the service as an open proxy. This vulnerability leads to Server-Side Request Forgery (SSRF) attacks, enabling attackers to induce the proxy to issue HTTP requests to arbitrary internal targets. Such exploitation can result in unauthorized access to sensitive metadata services, internal APIs, and cloud resources. Attackers can craft requests to retrieve sensitive data – including cloud credentials – and may execute arbitrary code or escalate privileges depending on exposed backend services. Protect against this vulnerability by implementing authentication, restrict proxy usage to trusted origins, whitelisting target hosts, and applying network-level security measures.

Affected Version(s)

Rob--W / cors-anywhere * <= 0.4.4

References

https://github.com/Rob--W/cors-anywhere/issues/152
issue-tracking
https://github.com/Rob--W/cors-anywhere/issues/78
issue-tracking
https://www.certik.com/resources/blog/cors-anywhere-dange...
technical-description

CVSS V4

Score:
9.5
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CertiK's Pentesting Team
Jonathan Leitschuh
JSON
.
CVE-2020-36851 : Open Proxy Misconfiguration in CORS-Anywhere by Rob W