CVE-2024-57177

HIGH LAB

perfood/couch-auth <= 0.21.2 - SSRF

Title source: llm

Description

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information

References (2)

[Various Sources] https://github.com/perfood/couch-auth

View Writeup ZIP pw:eip

[Various Sources] https://github.com/waristea/cve-research/tree/main/CVE-2024-57177

View Writeup ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0015

EPSS Percentile 34.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Lab Environment

COMMUNITY

Community Lab

docker pull couchdb:3.5

https://github.com/waristea/cve-research

https://github.com/perfood/couch-auth

View in Library

Details

CWE

CWE-1336

Status published

Products (1)

perfood/couch-auth 0npm

Published Feb 10, 2025

Tracked Since Feb 18, 2026