Cyber Resilience

CVE-2024-3187

Medium

Published: 17 October 2024

Published
17 October 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0427 89.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3187 is a medium-severity Double Free (CWE-415) vulnerability. Its CVSS base score is 5.9 (Medium).

Operationally, ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-3187 tracks two use-after-free issues and one double-free vulnerability in GoAhead versions 6.0.0 and earlier. The flaws occur when JST values are not nulled after being freed during template parsing; they are reachable only when the ME_GOAHEAD_JAVASCRIPT compile-time flag is enabled.

An attacker who can modify JavaScript template files on the target system can supply malicious JST content that triggers memory corruption. Successful exploitation may produce a denial of service and, in limited contexts, arbitrary code execution; the CVSS vector reflects network attack reachability combined with high attack complexity and low privileges.

The single referenced advisory is hosted at Nozomi Networks Labs; it contains no additional mitigation details beyond the conditions already described in the CVE entry. EPSS for the vulnerability rose from a low baseline to a recorded peak of 0.0759 before receding to its current value of 0.0427, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not being nulled when freed during parsing of JST templates. If the ME_GOAHEAD_JAVASCRIPT flag…

more

is enabled, a remote attacker with the privileges to modify JavaScript template (JST) files could exploit this by providing malicious templates. This may lead to memory corruption, potentially causing a Denial of Service (DoS) or, in rare cases, code execution, though the latter is highly context-dependent.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Goahead
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References