Overview
A vulnerability in cross-origin resource sharing (CORS) headers in Chromium, Google Chrome, Microsoft Edge, Safari, and Firefox enables the CORS policy to be manipulated. Combined with a DNS rebind, an attacker can send arbitrary requests to services listening on arbitrary ports regardless of CORS policy in place by the target. Users should apply the mitigations provided by the browser suppliers by applying the updates accordingly.
Description
Cross-origin resource sharing is a mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own that are permitted to load resources in the browser. For example, when a website needs to access your account data from a different website, a CORS policy is usually one of the best ways to set up that communication. However, CORS can be incorrectly implemented depending on the use case. As a result, attackers can exploit CORS misconfigurations or even chain them with other vulnerabilities to affect a system.
A DNS rebinding attack abuses the way browsers rely on hostnames to recognize different servers across a network. Hostnames are not directly bound to network devices and can be resolved to an arbitrary IP address dictated by a domain owner's DNS record. Attackers can abuse a victim's browser as a proxy to extend the attack surface to private networks. For example, an attacker tricks a victim into opening a malicious website where it scans for open web services in local networks. After locating target services, the attacker can then make an educated guess as to which of those services's IP address to rebind to the malicious website in order to access its resources without violating the same-origin policy.
The ability to conduct a DNS rebinding attack and manipulating CORS headers in order to enable malicious exfiltration of data has been observed to be successful on Chromium, Google Chrome, Microsoft Edge, Safari, and Firefox. An attacker can use a malicious site to execute a JavaScript payload that periodically sends CORS headers in order to ask the server if the cross-origin request is safe and allowed. Naturally, the attacker-controlled hostname will respond with permissive CORS headers that will circumvent the CORS policy. The attacker then performs a DNS rebind attack so that the hostname is assigned the IP address of the target service. After the DNS responds with the changed IP address, the new target inherits the relaxed CORS policy, allowing an attacker to potential exfiltrate data from the target.
Mozilla has assigned CVE-2025-8036 for this vulnerability.
Impact
The impact depends on the target. Exposure of private networks and unauthorized access to sensitive data are all within the realm of possibility.
Solution
DNS rebind attacks can have serious consequences when exploited, so we recommend keeping your browser up to date for the latest vulnerability patches.
Acknowledgements
Thanks to the reporter who wishes to remain anonymous. This document was written by Ben Koo.
Vendor Information
Other Information
| CVE IDs: | CVE-2025-8036 |
| API URL: | VINCE JSON | CSAF |
| Date Public: | 2025-10-17 |
| Date First Published: | 2025-10-17 |
| Date Last Updated: | 2025-10-17 11:45 UTC |
| Document Revision: | 1 |