Vulnerabilites related to SAP_SE - SAP Approuter Node.js package
CVE-2025-24876 (GCVE-0-2025-24876)
Vulnerability from cvelistv5
Published
2025-02-11 00:37
Modified
2025-02-21 16:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application
References
Impacted products
Vendor | Product | Version | ||
---|---|---|---|---|
SAP_SE | SAP Approuter Node.js package |
Version: 2.6.1 to 16.7.1 |
{ "containers": { "adp": [ { "metrics": [ { "other": { "content": { "id": "CVE-2025-24876", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "total" } ], "role": "CISA Coordinator", "timestamp": "2025-02-11T05:44:23.770147Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2025-02-21T16:46:32.934Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "SAP Approuter Node.js package", "vendor": "SAP_SE", "versions": [ { "status": "affected", "version": "2.6.1 to 16.7.1" } ] } ], "descriptions": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "\u003cp\u003eThe SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application\u003c/p\u003e" } ], "value": "The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application" } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" }, "format": "CVSS", "scenarios": [ { "lang": "en", "value": "GENERAL" } ] } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input", "lang": "eng", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-302", "description": "CWE-302: Authentication Bypass by Assumed-Immutable Data", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2025-02-18T19:28:24.683Z", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap" }, "references": [ { "url": "https://me.sap.com/notes/3567974" }, { "url": "https://www.npmjs.com/package/@sap/approuter?activeTab=versions" }, { "url": "https://url.sap/sapsecuritypatchday" } ], "source": { "discovery": "UNKNOWN" }, "title": "Authentication bypass via authorization code injection in SAP Approuter", "x_generator": { "engine": "Vulnogram 0.2.0" } } }, "cveMetadata": { "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2025-24876", "datePublished": "2025-02-11T00:37:40.988Z", "dateReserved": "2025-01-27T08:57:48.546Z", "dateUpdated": "2025-02-21T16:46:32.934Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }