VC009A05:2021·CWE-942

CORS misconfiguration

Permissive CORS configuration — `Access-Control-Allow-Origin: *` combined with credentials, or a reflected origin without an allowlist. Lets any website read your authenticated API responses.

What this rule detects

VC009 fires on three patterns: (1) `cors({ origin: '*', credentials: true })` — invalid combination per spec but some servers allow it, (2) reflecting `req.headers.origin` directly into `Access-Control-Allow-Origin` with no allowlist check, (3) wildcard origins on routes that return user-specific data.

Vulnerable vs. safe code

Vulnerable
// Reflects whatever origin the request came from.
app.use((req, res, next) => {
  res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
  res.setHeader("Access-Control-Allow-Credentials", "true");
  next();
});
Safe
const ALLOWED = new Set([
  "https://xploitscan.com",
  "https://app.xploitscan.com",
]);

app.use((req, res, next) => {
  const origin = req.headers.origin;
  if (origin && ALLOWED.has(origin)) {
    res.setHeader("Access-Control-Allow-Origin", origin);
    res.setHeader("Access-Control-Allow-Credentials", "true");
    res.setHeader("Vary", "Origin");
  }
  next();
});

About A05:2021Security Misconfiguration

Security misconfiguration covers all the ways a correctly-coded app still ships insecurely — debug endpoints in production, permissive CORS, missing security headers, default credentials. AI coding tools frequently generate scaffolding with development defaults that should never be deployed.

Impact: Permissive CORS (`Access-Control-Allow-Origin: *` with credentials) lets any website read your authenticated API responses. Debug mode in production leaks stack traces with file paths and library versions, helping attackers find more bugs. Missing CSP makes XSS exploitable when it would otherwise be blocked.

How to fix it: Treat configuration like code: review it, test it, lock it down before production. Use an allowlist for CORS, never `*` with credentials. Disable debug/development features in prod builds. Set the standard security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).

Common patterns in this category:

  • CORS configured with `*` origin and credentials enabled
  • Debug or development middleware enabled in production
  • Missing Content-Security-Policy header
  • Missing Strict-Transport-Security header
  • Default admin credentials left in place

Compliance coverage

Findings from this rule map to the following framework controls:

SOC 2
CC6.6, CC7.1
ISO 27001
A.8.9, A.8.20
OWASP Top 10
A05:2021Security Misconfiguration
CWE
CWE-942

See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.

Scan your code for VC009 and 157 other rules

Free, no signup. Drag and drop a zip or run npx xploitscan scan .

Scan Your Code →

Related rules in A05:2021

← All security rules
VC009: CORS misconfiguration | XploitScan Rules