CWE-942: Permissive Cross-domain Security Policy with Untrusted Domains
The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Last updated
Overview
If a cross-domain policy file includes domains that should not be trusted, such as when using wildcards under a high-level domain, then the application could be attacked by these untrusted domains. In many cases, the attack can be launched without the victim even being aware of it.
Background
In HTTP/HTTPS, policies such as the Same Origin Policy prevent web clients from loading resources from (or making requests to) domains that did not match the web site's own domain, e.g., Javascript or other code hosted on third-party servers. These policies are strictly enforced by browsers and other products. However, these restrictions can be reduced using mechanisms that specify other domains that are allowed to be contacted from the original site, such as Content Security Policy (CSP) or cross-domain policy files (e.g., "crossdomain.xml" in Adobe Flash or Reader, "clientaccesspolicy.xml" in Silverlight, etc.). These mechanisms define a list of domains from which a client is allowed to make cross-domain requests. When making a cross-domain request, the client will first look for the policy file on the target server. If it is found, and the domain hosting the application is explicitly allowed to make requests, the request is made.
Real-world CVEs
90 recorded CVEs are caused by CWE-942 (Permissive Cross-domain Security Policy with Untrusted Domains). The highest-severity and most recent are shown first. 41 new CWE-942 CVEs have been recorded so far in 2026 (21 in 2025).
- CVE-2025-27909
IBM Concert Software cross-origin resource sharing
Critical · CVSS 9.8 · EPSS 10th2025-08-18 - CVE-2024-37131Critical · CVSS 9.8 · EPSS 39th2024-06-13
- CVE-2023-50940Critical · CVSS 9.8 · EPSS 37th2024-02-02
- CVE-2022-26969Critical · CVSS 9.8 · EPSS 56th2022-12-26
- CVE-2022-31736Critical · CVSS 9.8 · EPSS 61th2022-12-22
- CVE-2021-27786Critical · CVSS 9.8 · EPSS 42th2022-06-07
- CVE-2026-34449
SiYuan: Cross-Origin RCE via Permissive CORS Policy and JavaScript Snippet Injection
Critical · CVSS 9.7 · EPSS 39th2026-03-31 - CVE-2020-36851
Rob--W cors-anywhere Misconfigured CORS Proxy Allows SSRF
Critical · CVSS 9.5 · EPSS 59th2025-09-25 - CVE-2026-9739Critical · CVSS 9.4 · EPSS 20th2026-05-27
- CVE-2026-61736
LightRAG: CORS Wildcard + Credentials Enables Any-Origin Credentialed Requests
Critical · CVSS 9.3 · EPSS 22th2026-07-15 - CVE-2026-44895
GitLab MCP Server: SSE transport has no authentication and wildcard CORS, exposing all GitLab tools
Critical · CVSS 9.2 · EPSS 31th2026-05-26 - CVE-2026-8948
Same-origin policy bypass in the DOM: Networking component
Critical · CVSS 9.1 · EPSS 34th2026-05-19
Showing 12 of 90 recorded CWE-942 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-942 vulnerabilitiesCommon consequences
What can happen when CWE-942 is exploited.
Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Varies by Context
Affects: Confidentiality, Integrity, Availability, Access Control
With an overly permissive policy file, an attacker may be able to bypass the web browser's same-origin policy and conduct many of the same attacks seen in Cross-Site Scripting (CWE-79). An attacker can exploit the weakness to transfer private information from the victim's machine to the attacker, manipulate or steal cookies that may include session information, create malicious requests to a web site on behalf of the victim, or execute malicious code on the end user systems. Other damaging attacks include the disclosure of end user files, installation of Trojan horse programs, redirecting the user to some other page or site, running ActiveX controls (under Microsoft Internet Explorer) from sites that a user perceives as trustworthy, and modifying presentation of content.
How it happens
When it is introduced
Typically introduced during these phases of the software lifecycle.
Applies to
Technologies
How to prevent it
Practical mitigations for CWE-942, grouped by where in the lifecycle they apply.
Define a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
Avoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.
For Flash, modify crossdomain.xml to use meta-policy options such as 'master-only' or 'none' to reduce the possibility of an attacker planting extraneous cross-domain policy files on a server.
How to detect it
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Effectiveness: High
Code examples
Illustrative examples from MITRE showing how the weakness appears in code.
These cross-domain policy files mean to allow Flash and Silverlight applications hosted on other domains to access its data:
Vulnerable example
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"Vulnerable example
<?xml version="1.0" encoding="utf-8"?>Illustrative examples
Real CVEs that MITRE cites as examples of this weakness.
- CVE-2012-2292 — Product has a Silverlight cross-domain policy that does not restrict access to another application, which allows remote attackers to bypass the Same Origin Policy.
- CVE-2014-2049 — The default Flash Cross Domain policies in a product allows remote attackers to access user files.
- CVE-2007-6243 — Chain: Adobe Flash Player does not sufficiently restrict the interpretation and usage of cross-domain policy files, which makes it easier for remote attackers to conduct cross-domain and cross-site scripting (XSS) attacks.
- CVE-2008-4822 — Chain: Adobe Flash Player and earlier does not properly interpret policy files, which allows remote attackers to bypass a non-root domain policy.
- CVE-2010-3636 — Chain: Adobe Flash Player does not properly handle unspecified encodings during the parsing of a cross-domain policy file, which allows remote web servers to bypass intended access restrictions via unknown vectors.
Frequently asked questions
Common questions about CWE-942.
- What is CWE-942?
- The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
- What CVEs are caused by CWE-942?
- 90 recorded CVEs are attributed to CWE-942, including CVE-2025-27909, CVE-2024-37131, CVE-2023-50940.
- How do you prevent CWE-942?
- Define a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
- How is CWE-942 detected?
- Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
- What are the consequences of CWE-942?
- Exploiting CWE-942 can lead to: Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Read Application Data, Varies by Context.
- Is CWE-942 actively exploited?
- 90 recorded CVEs are caused by CWE-942; none are currently in CISA's KEV catalog of actively exploited flaws.
References
- MITRE CWE definition (CWE-942) (opens in a new tab)
- CWE-942 vulnerabilities on NVD (opens in a new tab)
- Learn: What is a CWE?
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Stay ahead of CWE-942
Get alerted the moment a new CWE-942 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.