IBM Robotic Process Automation (RPA), a powerful automation tool used for streamlining business processes, has been found to be vulnerable to cross-origin resource sharing (CORS) attacks in versions 21.., 21..1, 21..2, 21..3, and 21..4. CVE-2022-41294 has been assigned to this vulnerability and tracked by IBM X-Force under ID 236807. This blog post discusses the details of the vulnerability, potential impacts, and potential mitigations.

Vulnerability Details

CORS (Cross-Origin Resource Sharing) is a security feature implemented in web browsers that restricts web pages (and, by extension, scripts) from making requests to a different domain than the one currently being displayed. The vulnerability in IBM RPA allows CORS to be bypassed when using the Bot API. This means that an attacker can make unauthorized requests to the Bot API from a different domain, possibly leading to the execution of unauthorized commands on the target system.

Here's a code snippet that demonstrates a problematic CORS configuration

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");

In this example, the server is configured to allow any domain to make requests with various headers. The wildcard (*) in the "Access-Control-Allow-Origin" header indicates that requests from any domain are permitted, leaving the application exposed to potential CORS attacks.

Exploit Details

An attacker could exploit this vulnerability by crafting a malicious web page that hosts JavaScript code designed to make unauthorized requests to the Bot API. If the victim visits the attacker's web page while being authenticated to the IBM RPA system, the malicious script would run within the context of the victim's browser and potentially execute unauthorized actions on the IBM RPA system.

Here's an example of a simple exploit

<!DOCTYPE html>
<html lang="en">
  <meta charset="UTF-8">
  <title>Exploit CVE-2022-41294</title>
    var xhr = new XMLHttpRequest();
    var target_url = "";; // Target IBM RPA Bot API URL
    var data = { action: 'unauthorized_action' };'POST', target_url, true);
    xhr.setRequestHeader('Content-Type', 'application/json');

Original references

1. CVE-2022-41294
2. IBM X-Force ID: 236807
3. IBM Security Bulletin

Mitigations and Recommendations

IBM has released patches for the affected versions of IBM RPA, and users are advised to update to the latest version to protect their systems from potential exploitation. Additionally, developers and system administrators can implement proper CORS configurations to prevent exploitation. Instead of using a wildcard in the "Access-Control-Allow-Origin" header, specify a list of trusted domains that should have access to the Bot API:

app.use(function(req, res, next) {
  var allowedOrigins = ["";, "";];
  var origin = req.headers.origin;

  if (allowedOrigins.indexOf(origin) > -1) {
    res.header("Access-Control-Allow-Origin", origin);

  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");


CVE-2022-41294, the CORS vulnerability identified in IBM RPA versions 21.. to 21..4, could potentially allow attackers to execute unauthorized actions on affected systems. To protect your organization from potential exploitation, ensure that you patch your IBM RPA installation to the latest version and properly configure CORS settings.


Published on: 10/06/2022 18:16:00 UTC
Last modified on: 10/14/2022 20:30:00 UTC