CISA issues alert on DNS rebinding affecting browser CORS policies

Multiple popular web browsers, including Chromium, Google Chrome, Microsoft Edge, Safari, and Firefox, are affected by a vulnerability involving manipulation of cross-origin resource sharing (CORS) headers that, when combined with a Domain Name System (DNS) rebinding attack, permits sending unauthorized requests to services on arbitrary ports regardless of established CORS policies.

This issue is identified under CVE-2025-8036 and impacts various versions of the browsers mentioned. The vulnerability arises from CORS policies, which enable servers to specify allowed origins for resource sharing, being manipulated through a DNS rebinding technique. This attack exploits how browsers associate hostnames with servers, leveraging DNS records to reassign hostnames to IP addresses of target services. Malicious sites execute JavaScript that sends crafted CORS requests, using permissive headers from attacker-controlled domains to bypass restrictions. Subsequently, the attacker rebinds the hostname to the target service's IP, thus inheriting the relaxed CORS permissions and potentially exfiltrating data.

The potential consequences vary depending on the targets involved, with risks including unintended exposure of private networks and unauthorized retrieval of sensitive information.

Browser vendors have addressed this vulnerability by issuing updates that mitigate the threat. Users are advised to maintain their browser software at current versions to incorporate these security patches.

Users should follow guidance from browser developers to apply the necessary updates promptly to reduce exposure to such DNS rebinding and CORS header manipulation attacks.