GHSA-Q78P-HJ9H-5466
Vulnerability from github – Published: 2026-07-15 21:57 – Updated: 2026-07-15 21:57Impact
The FiftyOne App/API server (fiftyone/server/app.py) and the /media route (fiftyone/server/routes/media.py) unconditionally set a permissive CORS header (Access-Control-Allow-Origin: *) on their responses. Because the embedded App server runs locally and is unauthenticated, this allows any website a user visits to make cross-origin requests to that user's running FiftyOne server and read the responses.
Combined with the unauthenticated /media endpoint — which serves files from the local filesystem by path — the wildcard CORS policy turns a local-only file read into a remotely exploitable, drive-by data exfiltration vulnerability. A malicious web page can silently issue requests such as http://localhost:5151/media?filepath=/etc/passwd and read arbitrary files accessible to the server process (SSH keys, cloud credentials, .env files, dataset media, etc.), then exfiltrate them to an attacker-controlled endpoint.
The victim only needs to have a FiftyOne server running locally and visit a malicious page — no clicks or other interaction are required. Browsers that have shipped Private Network Access / local-network-access protections (e.g. Chromium 142+) mitigate this for some users, but Safari and Firefox do not yet, so the attack remains viable in common configurations.
Who is impacted: any user running FiftyOne (the open-source, embedded App server) locally while also browsing the web.
Not affected: media stored in cloud buckets, which is served via signed URLs on a separate origin.
Patches
Fixed in FiftyOne 1.17.0. The hard-coded Access-Control-Allow-Origin: * has been removed and the server now responds same-origin only by default, which covers local desktop usage and the supported notebook integrations (each served through a same-origin proxy or iframe).
Cross-origin access is now opt-in via a new allowed_origins config option (environment variable FIFTYONE_ALLOWED_ORIGINS), an explicit comma-separated list of trusted origins, e.g.:
export FIFTYONE_ALLOWED_ORIGINS='https://app.example.com,http://localhost:3000'
The literal value * restores the legacy wildcard behavior for users who explicitly require it and emits a warning.
Users should upgrade to FiftyOne 1.17.0 or later.
Workarounds
In affected versions there is no configuration flag to disable the wildcard CORS header without upgrading. Until you can upgrade:
- Do not run the FiftyOne App server while browsing untrusted websites.
- Keep the App server bound to
localhost(the default) and avoid exposing it on a network interface. - Use a browser that enforces Private Network Access protections.
Resources
- OWASP A01:2025 – Broken Access Control: https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "fiftyone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.17.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-53656"
],
"database_specific": {
"cwe_ids": [
"CWE-346",
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-15T21:57:29Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nThe FiftyOne App/API server (`fiftyone/server/app.py`) and the `/media` route (`fiftyone/server/routes/media.py`) unconditionally set a permissive CORS header (`Access-Control-Allow-Origin: *`) on their responses. Because the embedded App server runs locally and is unauthenticated, this allows **any website a user visits to make cross-origin requests to that user\u0027s running FiftyOne server and read the responses**.\n\nCombined with the unauthenticated `/media` endpoint \u2014 which serves files from the local filesystem by path \u2014 the wildcard CORS policy turns a local-only file read into a **remotely exploitable, drive-by data exfiltration** vulnerability. A malicious web page can silently issue requests such as `http://localhost:5151/media?filepath=/etc/passwd` and read arbitrary files accessible to the server process (SSH keys, cloud credentials, `.env` files, dataset media, etc.), then exfiltrate them to an attacker-controlled endpoint.\n\nThe victim only needs to have a FiftyOne server running locally and visit a malicious page \u2014 no clicks or other interaction are required. Browsers that have shipped Private Network Access / local-network-access protections (e.g. Chromium 142+) mitigate this for some users, but Safari and Firefox do not yet, so the attack remains viable in common configurations.\n\n**Who is impacted:** any user running FiftyOne (the open-source, embedded App server) locally while also browsing the web.\n\n**Not affected:** media stored in cloud buckets, which is served via signed URLs on a separate origin.\n\n### Patches\n\nFixed in **FiftyOne 1.17.0**. The hard-coded `Access-Control-Allow-Origin: *` has been removed and the server now responds **same-origin only by default**, which covers local desktop usage and the supported notebook integrations (each served through a same-origin proxy or iframe).\n\nCross-origin access is now opt-in via a new `allowed_origins` config option (environment variable `FIFTYONE_ALLOWED_ORIGINS`), an explicit comma-separated list of trusted origins, e.g.:\n\n```shell\nexport FIFTYONE_ALLOWED_ORIGINS=\u0027https://app.example.com,http://localhost:3000\u0027\n```\n\nThe literal value `*` restores the legacy wildcard behavior for users who explicitly require it and emits a warning.\n\n**Users should upgrade to FiftyOne 1.17.0 or later.**\n\n### Workarounds\n\nIn affected versions there is no configuration flag to disable the wildcard CORS header without upgrading. Until you can upgrade:\n\n- Do not run the FiftyOne App server while browsing untrusted websites.\n- Keep the App server bound to `localhost` (the default) and avoid exposing it on a network interface.\n- Use a browser that enforces Private Network Access protections.\n\n### Resources\n\n- OWASP A01:2025 \u2013 Broken Access Control: https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/",
"id": "GHSA-q78p-hj9h-5466",
"modified": "2026-07-15T21:57:29Z",
"published": "2026-07-15T21:57:29Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/voxel51/fiftyone/security/advisories/GHSA-q78p-hj9h-5466"
},
{
"type": "WEB",
"url": "https://github.com/voxel51/fiftyone/commit/7c5b92eec5c7c0210c0c8134351ced77d2800ae0"
},
{
"type": "PACKAGE",
"url": "https://github.com/voxel51/fiftyone"
},
{
"type": "WEB",
"url": "https://github.com/voxel51/fiftyone/releases/tag/v1.17.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "FiftyOne App server uses wildcard CORS (Access-Control-Allow-Origin: *), enabling cross-origin reads of local server data"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.