CVE-2025-24876
Published: 11 February 2025
Description
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Security Summary
CVE-2025-24876 is an authentication bypass vulnerability in the SAP Approuter Node.js package, specifically versions v16.7.1 and earlier. The flaw occurs when trading an authorization code, allowing an attacker to inject a malicious payload and steal the victim's session. This impacts confidentiality and integrity at a high level, as classified by CWEs CWE-302 and CWE-1287, with an overall CVSS score of 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).
The vulnerability is exploitable remotely over the network (AV:N) with low complexity (AC:L) and no privileges required (PR:N), though it requires user interaction (UI:R) such as clicking a malicious link or processing a crafted payload. Successful exploitation enables an unauthenticated attacker to hijack the victim's authenticated session, potentially granting unauthorized access to sensitive application data and functions without affecting availability (A:N).
SAP advisories provide mitigation guidance, including SAP Note 3567974 available at https://me.sap.com/notes/3567974 and details on SAP Security Patch Day at https://url.sap/sapsecuritypatchday. The npm package page for @sap/approuter at https://www.npmjs.com/package/@sap/approuter?activeTab=versions lists available updates to address the issue.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Authentication bypass in public-facing SAP Approuter enables remote exploitation of public-facing applications (T1190) and directly facilitates browser session hijacking (T1185) via malicious payload injection during authorization code trading to steal and hijack authenticated sessions.