| Titel | github.com/farion1231 cc-switch v3.12.3 Origin Validation Error |
|---|
| Beschreibung | The local proxy server (127.0.0.1:15721) started by cc-switch uses an overly permissive CORS policy (allow_origin(Any)), which allows any website to send cross-origin requests to the proxy. Since the proxy automatically injects the user's API key into forwarded requests, a malicious website can silently use the user's AI API (Claude, OpenAI, Gemini, etc.) without knowing the API key itself. This requires only one user action — visiting a webpage.
Impact
Impact Description
API Key Abuse Attacker can make unlimited API calls at the victim's expense
Cost Amplification Victim incurs charges from all API calls made by attacker
Data Exfiltration AI responses may contain sensitive context about the victim's work
Rate Limit Exhaustion Attacker can exhaust victim's API rate limits
Cross-Provider Affects all configured providers (Claude, OpenAI, Gemini, Codex, etc.) |
|---|
| Quelle | ⚠️ https://github.com/farion1231/cc-switch/issues/1841 |
|---|
| Benutzer | r00tuser (UID 88975) |
|---|
| Einreichung | 03.04.2026 04:14 (vor 14 Tagen) |
|---|
| Moderieren | 12.04.2026 09:56 (9 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 357007 [farion1231 cc-switch bis 3.12.3 ProxyServer server.rs erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|