## PraisonAI Codebase Exposes 3 Unpatched CORS Vulnerabilities (CWE-942) Post-Audit A recent security audit of the PraisonAI codebase has left three critical CORS misconfiguration vulnerabilities unaddressed, flagged as a medium-high risk. These specific issues, categorized under CWE-942, involve the use of a wildcard origin (`allow_origins=["*"]`) in the CORS middleware setup. This configuration allows any external website to make cross-origin requests to the PraisonAI API, creating a direct pathway for credential theft and CSRF attacks. The vulnerabilities were identified by a semgrep security scan using OWASP Top 10 and Python security rulesets but were deliberately excluded from a previous patch that fixed 29 other MD5 and debug-related issues. The decision to leave these flaws open stems from their requirement for architectural decisions from the project's maintainers, indicating a deeper integration challenge beyond a simple code fix. The three instances of the wildcard CORS configuration represent a significant, unresolved exposure point in the application's security posture. While a prior pull request (#1319) successfully addressed numerous other vulnerabilities, the persistence of these CORS misconfigurations highlights a potential gap between automated scanning results and actionable remediation when core design choices are involved. This situation places PraisonAI's maintainers under direct scrutiny, forcing a critical decision: implement a more restrictive, origin-specific CORS policy or accept the ongoing risk of cross-origin attacks. The medium-high risk rating underscores the tangible threat of malicious websites exploiting this misconfiguration to hijack user sessions or perform unauthorized actions. The unresolved status of these vulnerabilities, post-audit, signals a potential pressure point in the project's security governance and its prioritization of architectural refactoring versus immediate threat mitigation. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: CORS, Security Vulnerability, Code Audit, API Security, CWE-942 - **Credibility**: unverified - **Published**: 2026-04-09 06:27:10 - **ID**: 56318 - **URL**: https://whisperx.ai/en/intel/56318