CVE-2025-57755 is a high-severity vulnerability affecting musistudio's claude-code-router, a tool designed to route Claude Code requests to various models and customize these requests. The vulnerability arises from improper Cross-Origin Resource Sharing (CORS) configuration, which allows unauthorized domains to access sensitive information such as user API keys or equivalent credentials. CORS is a security feature implemented by browsers to restrict web page scripts from making requests to a different domain than the one that served the web page. If misconfigured, it can inadvertently expose sensitive data to malicious websites. In this case, the misconfiguration enables attackers to exploit the vulnerability by crafting malicious web pages that can steal API keys from legitimate users. These stolen credentials can then be used to abuse the affected accounts, potentially exhausting usage quotas or accessing sensitive data that the API keys protect. The vulnerability affects all versions of claude-code-router prior to version 1.0.34, where the issue has been patched. The CVSS 4.0 score of 8.1 reflects the high impact of this vulnerability, with no authentication or user interaction required for exploitation, and the attack vector being network-based. The vulnerability impacts confidentiality, integrity, and availability, as attackers can gain unauthorized access to sensitive credentials and misuse them. Although no known exploits are reported in the wild yet, the nature of the vulnerability makes it a significant risk if left unpatched.

For European organizations using musistudio's claude-code-router, this vulnerability poses a serious risk. Exposure of API keys can lead to unauthorized access to internal systems or cloud services, resulting in data breaches, service disruptions, and financial losses due to quota exhaustion or fraudulent usage. Organizations relying on claude-code-router for routing AI model requests may face operational interruptions if attackers abuse stolen credentials. Additionally, sensitive data processed or accessed via these APIs could be compromised, violating data protection regulations such as GDPR. The reputational damage and potential regulatory penalties could be substantial. Since the vulnerability requires no user interaction or authentication, attackers can exploit it remotely and at scale, increasing the threat level. The absence of known exploits in the wild currently provides a window for mitigation, but the risk remains high due to the ease of exploitation and the sensitivity of exposed information.

European organizations should immediately upgrade claude-code-router to version 1.0.34 or later, where the CORS misconfiguration has been corrected. Beyond patching, organizations should audit their CORS policies to ensure they follow the principle of least privilege, allowing only trusted domains to access resources. Implement strict validation of the Origin header and avoid using wildcard ('*') in Access-Control-Allow-Origin headers. Additionally, rotate any API keys or credentials that may have been exposed prior to patching to prevent unauthorized access. Employ monitoring and anomaly detection on API usage to identify unusual patterns indicative of credential abuse. Network-level controls such as Web Application Firewalls (WAFs) can be configured to block suspicious cross-origin requests. Finally, educate developers and security teams on secure CORS configuration and regularly review third-party components for vulnerabilities.