CVE-2025-24876
Published: 11 February 2025
Summary
CVE-2025-24876 is a high-severity Authentication Bypass by Assumed-Immutable Data (CWE-302) vulnerability in Sap (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the authentication bypass vulnerability by requiring timely remediation through patching the affected SAP Approuter Node.js package as per SAP Note 3567974.
Prevents attackers from injecting malicious payloads during authorization code trading by enforcing validation of all inputs to the application.
Protects against session hijacking by providing mechanisms to verify the authenticity of sessions stolen via the authentication bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing SAP Approuter enables remote exploitation of public-facing applications (T1190) and directly facilitates browser session hijacking (T1185) via malicious payload injection during authorization code trading to steal and hijack authenticated sessions.
NVD Description
The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of…
more
the application
Deeper analysisAI
CVE-2025-24876 is an authentication bypass vulnerability in the SAP Approuter Node.js package, specifically versions v16.7.1 and earlier. The flaw occurs when trading an authorization code, allowing an attacker to inject a malicious payload and steal the victim's session. This impacts confidentiality and integrity at a high level, as classified by CWEs CWE-302 and CWE-1287, with an overall CVSS score of 8.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).
The vulnerability is exploitable remotely over the network (AV:N) with low complexity (AC:L) and no privileges required (PR:N), though it requires user interaction (UI:R) such as clicking a malicious link or processing a crafted payload. Successful exploitation enables an unauthenticated attacker to hijack the victim's authenticated session, potentially granting unauthorized access to sensitive application data and functions without affecting availability (A:N).
SAP advisories provide mitigation guidance, including SAP Note 3567974 available at https://me.sap.com/notes/3567974 and details on SAP Security Patch Day at https://url.sap/sapsecuritypatchday. The npm package page for @sap/approuter at https://www.npmjs.com/package/@sap/approuter?activeTab=versions lists available updates to address the issue.
Details
- CWE(s)