Base Score

CRITICAL9.8

CVE-2024-27922

TOMP Bare Server implements the TompHTTP bare server. A vulnerability in versions prior to 2.0.2 relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially exposes the users of the package to manipulation of their web traffic. The impact may vary depending on the specific usage of the package but it can potentially affect any system where this package is in use. The problem has been patched in version 2.0.2. As of time of publication, no specific workaround strategies have been disclosed.

VectorNETWORK

Published Bysecurity-advisories@github.com

Published DateMar 21, 2024, 02:52

Affected Versions(1)

@tomphttp/bare-server-node(npm)

Introduced0

Fixed2.0.2

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
@tomphttp/bare-server-node(npm)	0	2.0.2	N/A

Weakness Type (CWE):CWE-444

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

https://github.com/tomphttp/bare-server-node/security/advisories/GHSA-86fc-f9gr-v533

Base Score

CRITICAL9.8

Weakness Type (CWE):CWE-444

CVSS Metrics

Base Score

9.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH