Miggo Logo
Miggo Vulnerability Database
CVE-2020-36851

CVE-2020-36851: cors-anywhere vulnerable to server-side request forgery

N/A

CVSS Score

Basic Information

CVE ID
CVE-2020-36851
GHSA ID
GHSA-r3jv-xfgx-gj24
EPSS Score
-
CWE
CWE-918
Published
9/25/2025
Updated
9/25/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
cors-anywherenpm<= 0.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability, CVE-2020-36851, is a Server-Side Request Forgery (SSRF) in cors-anywhere. The root cause is not a specific bug, but the inherent design of the package when deployed as an open proxy without proper security configurations. The package is designed to proxy requests to any URL, and in its default configuration, it lacks restrictions on the target of these requests.

My analysis focused on identifying the core functions responsible for this proxying behavior, as these are the functions that would be exploited. By examining the code and the discussions in the associated GitHub issues (particularly issue #78, which discusses mitigating this SSRF), I pinpointed the request handling flow.

  1. The process begins in the anonymous function returned by getHandler in lib/cors-anywhere.js. This function acts as the main request handler. It extracts the target URL from the path of the incoming request. This is the entry point for the user-controlled, malicious input.

  2. This handler then calls the proxyRequest function, passing along the parsed URL.

  3. The proxyRequest function takes this URL and uses it to configure the http-proxy, setting the URL as the target of the outbound request. It then initiates the request using proxy.web().

At no point in this default flow is the target URL validated to ensure it does not point to internal services, cloud metadata endpoints, or other sensitive resources. This allows an attacker to craft a request to the cors-anywhere instance that causes the server to make a request to an arbitrary internal system.

The identified functions, getHandler.anonymous and proxyRequest, are therefore the key runtime indicators of this vulnerability. When this SSRF is exploited, these functions would appear in a stack trace or profiler output as they are directly involved in processing the malicious request and making the outbound connection.

Vulnerable functions

getHandler.anonymous
lib/cors-anywhere.js
This anonymous function serves as the primary request handler. It extracts the target URL directly from the user-provided request path. In a default or misconfigured setup, it does not perform any validation to prevent requests to internal or restricted resources. This function is the entry point for the SSRF vulnerability, as it takes the malicious URL from the attacker.
proxyRequest
lib/cors-anywhere.js
This function is responsible for creating and dispatching the proxied request using the `http-proxy` library. It takes the unvalidated `location` object (which contains the attacker-controlled URL) and sets it as the `target` for the proxy. This is the function that directly makes the server-side request to the arbitrary URL, leading to the SSRF vulnerability.

WAF Protection Rules

WAF Rule

Ro* -- W / *ors-*nyw**r* inst*n**s *on*i*ur** *s *n op*n proxy *llow un*ut**nti**t** *xt*rn*l us*rs to in*u** t** s*rv*r to m*k* *TTP r*qu*sts to *r*itr*ry t*r**ts (SSR*). ****us* t** proxy *orw*r*s r*qu*sts *n* *****rs, *n *tt**k*r **n r**** int*rn*

Reasoning

T** vuln*r**ility, *V*-****-*****, is * S*rv*r-Si** R*qu*st *or**ry (SSR*) in `*ors-*nyw**r*`. T** root **us* is not * sp**i*i* *u*, *ut t** in**r*nt **si*n o* t** p**k*** w**n **ploy** *s *n op*n proxy wit*out prop*r s**urity *on*i*ur*tions. T** p**