CVE-2024-10264
Published: 20 March 2025
Description
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Security Summary
CVE-2024-10264 is an HTTP Request Smuggling vulnerability (CWE-444) affecting netease-youdao/qanything version 1.4.1. The flaw arises from inconsistencies in how proxies and servers interpret HTTP requests, enabling attackers to manipulate request handling.
Remote attackers require no privileges, authentication, or user interaction to exploit the vulnerability, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation can result in unauthorized access, bypassing security controls, session hijacking, data leakage, and potentially arbitrary code execution.
Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/988247d5-fd60-4d85-845a-e867d62c0d02. The CVE was published on 2025-03-20T10:15:15.487.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- QAnything (netease-youdao/qanything) is an open-source AI knowledge base/RAG application, fitting Enterprise AI Assistants. The vulnerability is reported on an AI/ML bug bounty platform (huntr.dev), confirming AI relevance.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
HTTP Request Smuggling vulnerability in a public-facing web application (T1190) enables bypassing security controls via exploitation inconsistencies between proxy and server (T1211), facilitating unauthorized access, session hijacking, data leakage, and potential RCE.