CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24876: Authentication bypass via authorization code injection in SAP Approuter

8.1 CVSS

Description

The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code an attacker can steal the session of the victim by injecting malicious payload causing High impact on confidentiality and integrity of the application

Classification

CVE ID: CVE-2025-24876

CVSS Base Severity: HIGH

CVSS Base Score: 8.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected Products

Vendor: SAP_SE

Product: SAP Approuter Node.js package

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 18.37% (scored less or equal to compared to others)

EPSS Date: 2025-03-12 (when was this score calculated)

References

https://me.sap.com/notes/3567974
https://www.npmjs.com/package/@sap/approuter?activeTab=versions
https://url.sap/sapsecuritypatchday

Timeline

2025-02-11 17:15:57 UTC
Github Advisory Database (NPM)

[@sap/approuter] Authentication bypass in @sap/approuter
2025-02-12 00:31:39 UTC
CVE

Authentication bypass via authorization code injection in SAP Approuter