Submit #796145: github.com/farion1231 cc-switch v3.12.3 Origin Validation Errorinfo

Titlegithub.com/farion1231 cc-switch v3.12.3 Origin Validation Error
DescriptionThe local proxy server (127.0.0.1:15721) started by cc-switch uses an overly permissive CORS policy (allow_origin(Any)), which allows any website to send cross-origin requests to the proxy. Since the proxy automatically injects the user's API key into forwarded requests, a malicious website can silently use the user's AI API (Claude, OpenAI, Gemini, etc.) without knowing the API key itself. This requires only one user action — visiting a webpage. Impact Impact Description API Key Abuse Attacker can make unlimited API calls at the victim's expense Cost Amplification Victim incurs charges from all API calls made by attacker Data Exfiltration AI responses may contain sensitive context about the victim's work Rate Limit Exhaustion Attacker can exhaust victim's API rate limits Cross-Provider Affects all configured providers (Claude, OpenAI, Gemini, Codex, etc.)
Source⚠️ https://github.com/farion1231/cc-switch/issues/1841
User
 r00tuser (UID 88975)
Submission04/03/2026 04:14 (3 months ago)
Moderation04/12/2026 09:56 (9 days later)
StatusAccepted
VulDB entry357007 [farion1231 cc-switch up to 3.12.3 ProxyServer server.rs cross-domain policy]
Points20

Do you need the next level of professionalism?

Upgrade your account now!