We use cookies to improve your experience on our site.
AVID-2026-R1379
Description
CORS Vulnerability in feast-dev/feast (CVE-2024-11602)
Details
A Cross-Origin Resource Sharing (CORS) vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can bypass intended security controls and potentially expose sensitive information.
Reason for inclusion in AVID: CVE-2024-11602 describes a CORS misconfiguration in Feast, a feature store used in ML pipelines. It affects software components (feast-dev/feast) that are part of AI infrastructure, enabling potential data exposure via network access. This is a software supply chain/security vulnerability relevant to general-purpose AI stacks, with sufficient evidence in the report.
References
Affected or Relevant Artifacts
- Developer: feast-dev
- Deployer: feast-dev
- Artifact Details:
| Type | Name |
|---|---|
| System | feast-dev/feast |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N |
| Base Score | 7.4 |
| Base Severity | 🔴 High |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | REQUIRED |
| Scope | CHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | NONE |
| Availability Impact | NONE |
CWE
| ID | Description |
|---|---|
| CWE-346 | CWE-346 Origin Validation Error |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry