Vulnerabilites related to SAP_SE - SAP Approuter Node.js package
cve-2025-24876
Vulnerability from cvelistv5
Published
2025-02-11 00:37
Modified
2025-02-21 16:46
Severity ?
EPSS score ?
Summary
The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SAP_SE | SAP Approuter Node.js package |
Version: 2.6.1 to 16.7.1 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2025-24876", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2025-02-11T05:44:23.770147Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-21T16:46:32.934Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "SAP Approuter Node.js package", vendor: "SAP_SE", versions: [ { status: "affected", version: "2.6.1 to 16.7.1", }, ], }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application</p>", }, ], value: "The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1287", description: "CWE-1287: Improper Validation of Specified Type of Input", lang: "eng", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-302", description: "CWE-302: Authentication Bypass by Assumed-Immutable Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-18T19:28:24.683Z", orgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", shortName: "sap", }, references: [ { url: "https://me.sap.com/notes/3567974", }, { url: "https://www.npmjs.com/package/@sap/approuter?activeTab=versions", }, { url: "https://url.sap/sapsecuritypatchday", }, ], source: { discovery: "UNKNOWN", }, title: "Authentication bypass via authorization code injection in SAP Approuter", x_generator: { engine: "Vulnogram 0.2.0", }, }, }, cveMetadata: { assignerOrgId: "e4686d1a-f260-4930-ac4c-2f5c992778dd", assignerShortName: "sap", cveId: "CVE-2025-24876", datePublished: "2025-02-11T00:37:40.988Z", dateReserved: "2025-01-27T08:57:48.546Z", dateUpdated: "2025-02-21T16:46:32.934Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }