[BUG] Security: Overly Permissive CORS Configuration Allows Any Origin to Access API

[EnthusiasticTech]

Project

vgrep

Description

The vgrep server configures CORS with allow_origin(Any), allow_methods(Any), and allow_headers(Any). This allows any website to make cross-origin requests to the vgrep API, potentially enabling malicious websites to extract indexed code from users' machines when the server is running.

Error Message

Debug Logs

< HTTP/1.1 200 OK
< content-type: application/json
< vary: origin, access-control-request-method, access-control-request-headers
< access-control-allow-origin: *
< content-length: 43
< date: Mon, 19 Jan 2026 11:49:03 GMT

System Information

Bounty Version: 0.1.0
OS: Ubuntu 24.04 LTS
CPU: AMD EPYC-Genoa Processor (8 cores)
RAM: 15 GB

Screenshots

No response

Steps to Reproduce

1. Start the vgrep server: vgrep serve
2. Run the following curl command to simulate a request from an external origin:
   curl -v -X POST http://127.0.0.1:7777/search \ -H "Content-Type: application/json" \ -H "Origin: https://evil-website.com" \ -d '{"query": "password", "max_results": 3}'
3. Observe the response headers

Expected Behavior

The server should reject requests from untrusted origins, or at minimum restrict CORS to localhost (127.0.0.1) by default. The response should NOT include access-control-allow-origin: *.

Actual Behavior

The server accepts the request and returns:
access-control-allow-origin: *
The request from https://evil-website.com is processed and results are returned.

Additional Context

No response

[echobt]

Issue validated. The reported CORS security concern has been confirmed in the codebase. The server was configured with permissive CORS settings (allow_origin(Any), allow_methods(Any), allow_headers(Any)) which could allow malicious websites to make cross-origin requests to the local API server.

A Pull Request with the fix has been submitted: CortexLM/vgrep#3

The fix restricts CORS to only allow localhost origins (127.0.0.1 and localhost), limits HTTP methods to GET, POST, and OPTIONS, and restricts headers to CONTENT_TYPE and ACCEPT.

[echobt]

This issue has been reconsidered and marked as invalid. vgrep is a local development tool designed to run on localhost (127.0.0.1). Security concerns like CORS configuration are not applicable for local-only services as the tool is meant for personal use on the user's own machine. There is no real attack vector since external parties cannot access a localhost-bound service. Adding restrictive CORS to a local tool provides no meaningful security benefit.