CVE-2020-36851 in cors-anywhereinfo

Summary

by MITRE • 09/25/2025

Rob--W cors-anywhere instances configured as an open proxy allow unauthenticated external users to induce the server to make HTTP requests to arbitrary targets (SSRF). Because the proxy forwards requests and headers, an attacker can reach internal-only endpoints and link-local metadata services, retrieve instance role credentials or other sensitive metadata, and interact with internal APIs and services that are not intended to be internet-facing. The vulnerability is exploitable by sending crafted requests to the proxy with the target resource encoded in the URL; many cors-anywhere deployments forward arbitrary methods and headers (including PUT), which can permit exploitation of IMDSv2 workflows as well as access to internal management APIs. Successful exploitation can result in theft of cloud credentials, unauthorized access to internal services, remote code execution or privilege escalation (depending on reachable backends), data exfiltration, and full compromise of cloud resources. Mitigation includes: restricting the proxy to trusted origins or authentication, whitelisting allowed target hosts, preventing access to link-local and internal IP ranges, removing support for unsafe HTTP methods/headers, enabling cloud provider mitigations, and deploying network-level protections.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/27/2026

The vulnerability described in CVE-2020-36851 represents a critical server-side request forgery flaw in cors-anywhere proxy implementations that have been configured as open proxies. This security weakness stems from the improper validation of target URLs and request parameters, allowing unauthenticated attackers to leverage the proxy server as a conduit for making HTTP requests to arbitrary internal and external endpoints. The flaw is particularly dangerous because it enables attackers to bypass network segmentation controls and access resources that should remain isolated from public internet exposure. When deployed in cloud environments, these open proxy configurations create a significant attack surface that can be exploited to compromise entire cloud infrastructure. The vulnerability affects systems where cors-anywhere instances are configured without proper access controls, authentication mechanisms, or destination validation, making them susceptible to abuse by malicious actors seeking to explore internal networks and extract sensitive information. This type of vulnerability is classified under CWE-918 as Server-Side Request Forgery, which specifically addresses the risk of attackers manipulating servers into making unintended requests to internal resources.

The technical exploitation of this vulnerability occurs through the manipulation of URL parameters that specify target resources for the proxy to fetch on behalf of the attacker. Attackers can craft requests that include encoded target URLs, enabling the proxy server to forward requests to internal IP ranges, link-local addresses, and metadata services that are typically protected by network security controls. The proxy's forwarding behavior extends beyond simple GET requests to include arbitrary HTTP methods such as PUT, POST, and DELETE, which can be leveraged to exploit various internal APIs and services. This capability is particularly concerning when targeting AWS environments, as the proxy can access the Instance Metadata Service v2 (IMDSv2) and extract sensitive credentials and role information. The vulnerability is exacerbated by the fact that many cors-anywhere deployments forward all headers without proper sanitization, allowing attackers to inject malicious headers that can further compromise the attack vector. The flaw can be exploited by sending specially crafted requests where the target resource is embedded within the URL structure, effectively turning the proxy server into a tool for internal reconnaissance and lateral movement.

The operational impact of successful exploitation can be catastrophic for organizations relying on cloud infrastructure and network segmentation for security. Attackers can leverage this vulnerability to perform reconnaissance activities against internal networks, identify vulnerable services, and extract sensitive metadata that could lead to privilege escalation or full system compromise. The ability to access cloud instance credentials and role information can result in unauthorized access to cloud storage, databases, and other critical resources. Depending on the internal services accessible through the compromised proxy, attackers may be able to execute remote code, perform data exfiltration, or establish persistent access to the organization's infrastructure. The vulnerability can also facilitate more sophisticated attacks such as privilege escalation by leveraging stolen credentials to access higher-privileged services or by exploiting weaknesses in internal APIs that are not properly protected. Network-level consequences include potential disruption of services, unauthorized data access, and the possibility of attackers using the compromised proxy as a pivot point for further attacks within the organization's network infrastructure.

Mitigation strategies for CVE-2020-36851 require a multi-layered approach that addresses both configuration and network-level security controls. Organizations should implement strict access controls that restrict proxy usage to trusted origins and require authentication for all proxy requests, preventing unauthorized users from leveraging the service. Deployments should include comprehensive destination whitelisting that explicitly defines allowed target hosts and prevents access to internal IP ranges, link-local addresses, and metadata services. Network-level protections such as firewalls and security groups should be configured to block access to internal resources from proxy servers, while also implementing proper IP address filtering to prevent requests to sensitive address ranges. The proxy configuration should be reviewed to disable support for unsafe HTTP methods and headers that could be exploited for advanced attack techniques, particularly those that enable interaction with IMDSv2 workflows. Cloud providers offer specific mitigations for this type of vulnerability through their security services and network controls, including automated threat detection and prevention mechanisms that can identify and block suspicious proxy activities. Regular security audits and monitoring should be implemented to detect unauthorized proxy usage and ensure that security controls remain effective against evolving attack techniques. This vulnerability demonstrates the importance of following the principle of least privilege and the need for proper network segmentation, as highlighted in the ATT&CK framework's methodology for lateral movement and credential access techniques.

Responsible

VulnCheck

Reservation

09/25/2025

Disclosure

09/25/2025

Moderation

accepted

CPE

ready

EPSS

0.01005

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!