Severity: Critical
CVSS Score: 9.3
### Impact Some CORS middleware (more specifically those created by specifying two or more origin patterns whose hosts share a proper suffix) incorrectly allow some untrusted origins, thereby opening the door to cross-origin attacks from the untrusted origins in question. For example, specifying origin patterns `https://foo.com` and `https://bar.com` (in that order) would yield a middleware that would incorrectly allow untrusted origin `https://barfoo.com`. ### Patches Patched in v0.9.0. ### Workarounds None.