Authentication Bypass in SAP Approuter Node.js Package
CVE-2025-24876

8.1HIGH

Key Information:

Vendor: SAP
Status: SAP Approuter Node.js Package
Vendor: CVE Published:; 11 February 2025

What is CVE-2025-24876?

The SAP Approuter Node.js package versions up to and including v16.7.1 are vulnerable to an authentication bypass. This vulnerability allows an attacker to exploit the authorization code trading process to inject malicious payloads. If successful, the attacker can steal the victim's session, significantly compromising the confidentiality and integrity of the application. This exposes sensitive user data and operational security, necessitating immediate attention and remediation measures.

Affected Version(s)

SAP Approuter Node.js package 2.6.1 to 16.7.1

References

https://me.sap.com/notes/3567974

https://www.npmjs.com/package/@sap/approuter?activeTab=ve...

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 27, 2025