CVE-2025-57755 HIGH

CVE-2025-57755: claude-code-router CORS. misconfiguration

Vendor Musistudio
Product claude-code-router
Weakness CWE-200 · Info exposure
Published August 21, 2025
Last update August 21, 2025

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

claude-code-router is a powerful tool to route Claude Code requests to different models and customize any request. Due to improper Cross-Origin Resource Sharing (CORS) configuration, there is a risk that user API Keys or equivalent credentials may be exposed to untrusted domains. Attackers could exploit this misconfiguration to steal credentials, abuse accounts, exhaust quotas, or access sensitive data. The issue has been patched in v1.0.34.

Key dates

02Disclosure timeline

August 21, 2025 CVE published
August 21, 2025 Record updated