CVE-2025-24876 – @sap/approuter

Package

Manager: npm
Name: @sap/approuter
Vulnerable Version: >=2.6.1 <16.7.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00221 pctl0.44666

Details

Authentication bypass in @sap/approuter The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code, an attacker can steal the session of the victim by injecting malicious payload, causing High impact on confidentiality and integrity of the application.

Metadata

Created: 2025-02-11T03:30:56Z
Modified: 2025-02-11T16:35:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-cpfx-964w-4jvp/GHSA-cpfx-964w-4jvp.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-cpfx-964w-4jvp
Finding: F100
Auto approve: 1