CVE-2025-24876
Authentication bypass in @sap/approuter
8.1
HIGH
CVSS 3.1
EPSS 0.16%
Description
The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code, an attacker can steal the session of the victim by injecting malicious payload, causing High impact on confidentiality and integrity of the application.
How to fix CVE-2025-24876
To remediate CVE-2025-24876, upgrade the affected package to a fixed version below.
- —upgrade to 16.7.2 or later
Is CVE-2025-24876 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 2.6.1, < 16.7.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |