CVE-2024-27922

2024-03-2102:52:21

CWE-444

[email protected]

web.nvd.nist.gov

tomp bare server

tomphttp

bare server

vulnerability

http requests

@tomphttp/bare-server-node

web traffic manipulation

system security

patch

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.2%

JSON

TOMP Bare Server implements the TompHTTP bare server. A vulnerability in versions prior to 2.0.2 relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially exposes the users of the package to manipulation of their web traffic. The impact may vary depending on the specific usage of the package but it can potentially affect any system where this package is in use. The problem has been patched in version 2.0.2. As of time of publication, no specific workaround strategies have been disclosed.

Affected configurations

Vulners

Node

tomphttpbare_server_nodeRange<2.0.2

CNA Affected

[
  {
    "vendor": "tomphttp",
    "product": "bare-server-node",
    "versions": [
      {
        "version": "< 2.0.2",
        "status": "affected"
      }
    ]
  }
]