CVE-2009-2816

The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page.

Published: 2009-11-13 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2009-2816 is rated Moderate Risk (55.9/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.15%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2009-2816

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-03-30 2.46% 2.15% -0.31%
2 2025-03-29 2.15% 2.46% +0.31%
3 2025-03-17 2.15%

Full EPSS history (6 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2009-2816

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.8 2.0 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 8.6 6.4 [email protected]

Weakness enumeration for CVE-2009-2816

OS Trackers for CVE-2009-2816

vendor priority summary link
redhat medium https://access.redhat.com/security/cve/CVE-2009-2816
ubuntu medium CVE-2009-2816 medium priority: Ubuntu including 2 source packages (qt4-x11, webkit), 18 status rows across 9 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, upstream): not-affected 9, ignored 6, needs-triage 2, DNE 1. https://ubuntu.com/security/CVE-2009-2816

Affected software / configurations for CVE-2009-2816

Vendor Product Version Raw CPE
apple safari < 4.0.4 cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
google chrome < 3.0.195.33 cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*
apple iphone_os < 4.0 cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
opensuse opensuse 11.2 cpe:2.3:o:opensuse:opensuse:11.2:*:*:*:*:*:*:*
opensuse opensuse 11.3 cpe:2.3:o:opensuse:opensuse:11.3:*:*:*:*:*:*:*
fedoraproject fedora 11 cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*
fedoraproject fedora 12 cpe:2.3:o:fedoraproject:fedora:12:*:*:*:*:*:*:*

References for CVE-2009-2816

URL Tags
http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html Mailing List Patch Vendor Advisory
http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html Mailing List Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html Third Party Advisory
http://osvdb.org/59940 Broken Link
http://osvdb.org/59967 Broken Link
http://secunia.com/advisories/37346 Third Party Advisory
http://secunia.com/advisories/37358 Third Party Advisory
http://secunia.com/advisories/37393 Third Party Advisory
http://secunia.com/advisories/37397 Third Party Advisory
http://secunia.com/advisories/43068 Third Party Advisory
http://support.apple.com/kb/HT3949 Patch Vendor Advisory
http://support.apple.com/kb/HT4225 Vendor Advisory
http://www.securityfocus.com/bid/36997 Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1023165 Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2009/3217 Vendor Advisory
http://www.vupen.com/english/advisories/2009/3233 Vendor Advisory
http://www.vupen.com/english/advisories/2011/0212 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=525789 Issue Tracking Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/54239 Third Party Advisory VDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6516 Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00545.html Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg00549.html Third Party Advisory
cvelogic Threat Intelligence