Cyber Resilience

CVE-2024-10264

CriticalPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
01 August 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0015 35.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10264 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Youdao Qanything. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-10264 is an HTTP Request Smuggling vulnerability (CWE-444) affecting netease-youdao/qanything version 1.4.1. The flaw arises from inconsistencies in how proxies and servers interpret HTTP requests, enabling attackers to manipulate request handling.

Remote attackers require no privileges, authentication, or user interaction to exploit the vulnerability, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation can result in unauthorized access, bypassing security controls, session hijacking, data leakage, and potentially arbitrary code execution.

Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/988247d5-fd60-4d85-845a-e867d62c0d02. The CVE was published on 2025-03-20T10:15:15.487.

EU & UK References

Vulnerability details

HTTP Request Smuggling vulnerability in netease-youdao/qanything version 1.4.1 allows attackers to exploit inconsistencies in the interpretation of HTTP requests between a proxy and a server. This can lead to unauthorized access, bypassing security controls, session hijacking, data leakage, and potentially…

more

arbitrary code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Why these techniques?

HTTP Request Smuggling vulnerability in a public-facing web application (T1190) enables bypassing security controls via exploitation inconsistencies between proxy and server (T1211), facilitating unauthorized access, session hijacking, data leakage, and potential RCE.

CVEs Like This One

CVE-2024-12866Same product: Youdao Qanything
CVE-2026-28368Shared CWE-444
CVE-2025-31958Shared CWE-444
CVE-2026-41873Shared CWE-444
CVE-2026-1525Shared CWE-444
CVE-2026-33870Shared CWE-444
CVE-2026-2833Shared CWE-444
CVE-2025-65114Shared CWE-444
CVE-2026-24880Shared CWE-444
CVE-2026-40560Shared CWE-444

Affected Assets

youdao
qanything
1.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the HTTP Request Smuggling vulnerability in qanything 1.4.1 by remediating the specific flaw through patching or vendor mitigations from the advisory.

prevent

Requires validation of HTTP request inputs to prevent smuggling attacks exploiting inconsistencies in request interpretation between proxies and servers.

prevent

Enforces boundary protections via proxies or WAFs that normalize and inspect HTTP traffic to mitigate interpretation discrepancies leading to smuggling.

References