You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
A CRITICAL security vulnerability exists in backend/server.js at line 16. The server applies app.use(cors('*')) — a fully open wildcard CORS policy — across every API endpoint including /api/auth/signup and /api/auth/login. This means any JavaScript running on any origin can freely call these endpoints and read the full response body.
Impact:
An attacker can host a malicious page that silently abuses the open API:
Account enumeration at scale: Call POST /api/auth/signup for thousands of emails; a 400 "User already exists" response reveals the account is registered, a 201 means it is free.
Unsolicited account creation: The attacker can register arbitrary accounts consuming target email addresses, locking real users out of signup.
Future risk: Any authenticated data endpoint added later will also be exposed to cross-origin readers because Access-Control-Allow-Origin: * is already set globally.
Browser allows the request and returns the full response (no CORS block).
400 "User already exists" → victim@company.com is registered.
Expected Behaviour:
CORS should only allow requests from the known frontend origins (e.g., http://localhost:5173 in development, the production domain in production). Requests from all other origins should be rejected by the browser with a CORS error.
Proposed Fix:
Replace the wildcard with an allowlist driven by an environment variable:
// server.jsconstallowedOrigins=(process.env.ALLOWED_ORIGINS||'http://localhost:5173').split(',');app.use(cors({origin: (origin,callback)=>{if(!origin||allowedOrigins.map(o=>o.trim()).includes(origin)){callback(null,true);}else{callback(newError('Not allowed by CORS'));}},credentials: true,}));
Please assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.
Description:
A CRITICAL security vulnerability exists in
backend/server.jsat line 16. The server appliesapp.use(cors('*'))— a fully open wildcard CORS policy — across every API endpoint including/api/auth/signupand/api/auth/login. This means any JavaScript running on any origin can freely call these endpoints and read the full response body.Impact:
An attacker can host a malicious page that silently abuses the open API:
POST /api/auth/signupfor thousands of emails; a400 "User already exists"response reveals the account is registered, a201means it is free.Access-Control-Allow-Origin: *is already set globally.Steps to Reproduce:
https://evil.com, run:400 "User already exists"→victim@company.comis registered.Expected Behaviour:
CORS should only allow requests from the known frontend origins (e.g.,
http://localhost:5173in development, the production domain in production). Requests from all other origins should be rejected by the browser with a CORS error.Proposed Fix:
Replace the wildcard with an allowlist driven by an environment variable:
Add to
.env.sample:Labels:
type:buglevel:advancedgssoc:approvedgssoc26Please assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.