CVE-2025-24876

Name of the Vulnerable Software and Affected Versions: SAP Approuter Node.js package versions 2.6.1 through 16.7.1

Description: The issue concerns an authentication bypass vulnerability. When trading an authorization code, an attacker can steal the session of the victim by injecting malicious payload, causing high impact on confidentiality and integrity of the application.

Recommendations: For SAP Approuter Node.js package versions 2.6.1 through 16.7.1, consider updating to a version later than 16.7.1 to resolve the authentication bypass issue. As a temporary workaround, restrict access to authorization code trading to minimize the risk of exploitation. Avoid using vulnerable functions related to authorization code trading until the issue is resolved. At the moment, there is no information about additional mitigation measures.