{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-24876", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-01-27T08:57:48.546Z", "datePublished": "2025-02-11T00:37:40.988Z", "dateUpdated": "2025-02-21T16:46:32.934Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP Approuter Node.js package", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "2.6.1 to 16.7.1"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application</p>"}], "value": "The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input", "lang": "eng", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-302", "description": "CWE-302: Authentication Bypass by Assumed-Immutable Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2025-02-18T19:28:24.683Z"}, "references": [{"url": "https://me.sap.com/notes/3567974"}, {"url": "https://www.npmjs.com/package/@sap/approuter?activeTab=versions"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Authentication bypass via authorization code injection in SAP Approuter", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-11T05:44:23.770147Z", "id": "CVE-2025-24876", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-21T16:46:32.934Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-24876", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-11T05:44:23.770147Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T05:45:00.823Z"}}], "cna": {"title": "Authentication bypass via authorization code injection in SAP Approuter", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP Approuter Node.js package", "versions": [{"status": "affected", "version": "2.6.1 to 16.7.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3567974"}, {"url": "https://www.npmjs.com/package/@sap/approuter?activeTab=versions"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application", "supportingMedia": [{"type": "text/html", "value": "<p>The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-1287", "description": "CWE-1287: Improper Validation of Specified Type of Input"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-302", "description": "CWE-302: Authentication Bypass by Assumed-Immutable Data"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2025-02-18T19:28:24.683Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24876", "state": "PUBLISHED", "dateUpdated": "2025-02-21T16:46:32.934Z", "dateReserved": "2025-01-27T08:57:48.546Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2025-02-11T00:37:40.988Z", "assignerShortName": "sap"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application"}, {"lang": "es", "value": "El paquete SAP Approuter Node.js versi\u00f3n v16.7.1 y anteriores es vulnerable a la omisi\u00f3n de autenticaci\u00f3n. Al intercambiar un c\u00f3digo de autorizaci\u00f3n, un atacante puede robar la sesi\u00f3n de la v\u00edctima inyectando payload malicioso, lo que provoca un gran impacto en la confidencialidad y la integridad de la aplicaci\u00f3n."}], "id": "CVE-2025-24876", "lastModified": "2025-02-18T20:15:31.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "cna@sap.com", "type": "Secondary"}]}, "published": "2025-02-11T01:15:11.887", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3567974"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}, {"source": "cna@sap.com", "url": "https://www.npmjs.com/package/@sap/approuter?activeTab=versions"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-302"}, {"lang": "en", "value": "CWE-1287"}], "source": "cna@sap.com", "type": "Primary"}]}

{}