CVE-2024-10264
Published: 20 March 2025
Summary
CVE-2024-10264 is a critical-severity HTTP Request/Response Smuggling (CWE-444) vulnerability in Youdao Qanything. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-10264 is an HTTP Request Smuggling vulnerability (CWE-444) affecting netease-youdao/qanything version 1.4.1. The flaw arises from inconsistencies in how proxies and servers interpret HTTP requests, enabling attackers to manipulate request handling.
Remote attackers require no privileges, authentication, or user interaction to exploit the vulnerability, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation can result in unauthorized access, bypassing security controls, session hijacking, data leakage, and potentially arbitrary code execution.
Mitigation details are available in the advisory published on Huntr at https://huntr.com/bounties/988247d5-fd60-4d85-845a-e867d62c0d02. The CVE was published on 2025-03-20T10:15:15.487.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7122
Vulnerability details
HTTP Request Smuggling vulnerability in netease-youdao/qanything version 1.4.1 allows attackers to exploit inconsistencies in the interpretation of HTTP requests between a proxy and a server. This can lead to unauthorized access, bypassing security controls, session hijacking, data leakage, and potentially…
more
arbitrary code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
HTTP Request Smuggling vulnerability in a public-facing web application (T1190) enables bypassing security controls via exploitation inconsistencies between proxy and server (T1211), facilitating unauthorized access, session hijacking, data leakage, and potential RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the HTTP Request Smuggling vulnerability in qanything 1.4.1 by remediating the specific flaw through patching or vendor mitigations from the advisory.
Requires validation of HTTP request inputs to prevent smuggling attacks exploiting inconsistencies in request interpretation between proxies and servers.
Enforces boundary protections via proxies or WAFs that normalize and inspect HTTP traffic to mitigate interpretation discrepancies leading to smuggling.