CVE-2024-57177

High

Published: 10 February 2025

Published

10 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0015 34.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information

Security Summary

CVE-2024-57177 is a host header injection vulnerability in the NPM package perfood/couch-auth versions <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, attackers can trigger a Server-Side Template Injection (SSTI), which can be leveraged to run limited commands or leak server-side information. The vulnerability carries a CVSS score of 7.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is classified under CWE-1336.

The vulnerability is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation allows limited command execution or disclosure of server-side information, leading to low impacts on confidentiality, integrity, and availability within the unchanged scope.

Mitigation details, advisories, and patches are available in the referenced GitHub repositories: https://github.com/perfood/couch-auth and https://github.com/waristea/cve-research/tree/main/CVE-2024-57177.

Details

CWE(s): CWE-1336

References

https://github.com/perfood/couch-auth
cve@mitre.org
https://github.com/waristea/cve-research/tree/main/CVE-2024-57177
cve@mitre.org