Project
vgrep
Description
The CORS configuration allows any origin, method, and header, which is a security concern if the server is accidentally exposed to a network.
Error Observation
Any website can make cross-origin requests to the vgrep API if the server is network-accessible.
Error Message
Debug Logs
System Information
Version: 0.1.0
## Operating System
OS: Ubuntu 24.04.3 LTS
Kernel: 6.8.0-79-generic
Arch: x86_64
## Hardware
CPU: AMD Ryzen 9 5950X 16-Core Processor (4 cores)
RAM: 11 GB
## Build Environment
Rust: rustc 1.92.0 (ded5c06cf 2025-12-08)
Target: x86_64
Screenshots
No response
Steps to Reproduce
- Open
src/server/api.rs
- Examine lines 106-109:
let cors = CorsLayer::new()
.allow_origin(Any)
.allow_methods(Any)
.allow_headers(Any);
- Start the vgrep server binding to 0.0.0.0
- From another machine, make a cross-origin request - it succeeds
Expected Behavior
Should restrict CORS to localhost origins or warn when binding to non-localhost addresses.
Actual Behavior
Permissive CORS allows any origin, potentially exposing local file embeddings to malicious websites.
Additional Context
Developers may accidentally expose vgrep via port forwarding or tunnels (ngrok, etc.).
Project
vgrep
Description
The CORS configuration allows any origin, method, and header, which is a security concern if the server is accidentally exposed to a network.
Error Observation
Any website can make cross-origin requests to the vgrep API if the server is network-accessible.
Error Message
Debug Logs
System Information
Screenshots
No response
Steps to Reproduce
src/server/api.rsExpected Behavior
Should restrict CORS to localhost origins or warn when binding to non-localhost addresses.
Actual Behavior
Permissive CORS allows any origin, potentially exposing local file embeddings to malicious websites.
Additional Context
Developers may accidentally expose vgrep via port forwarding or tunnels (ngrok, etc.).