CRITICAL🇵🇱 Wersja polska

CVE-2024-10264

CVSS 9.8v3.1pub. 2025-03-20upd. 2025-08-01

HTTP Request Smuggling vulnerability in netease-youdao/qanything version 1.4.1 allows attackers to exploit inconsistencies in the interpretation of HTTP requests between a proxy and a server. This can lead to unauthorized access, bypassing security controls, session hijacking, data leakage, and potentially arbitrary code execution.

🤖 AI Analysis
How it works

The vulnerability lies in the fact that the proxy and backend server interpret HTTP request boundaries differently — a phenomenon known as HTTP Request Smuggling. An attacker sends a crafted HTTP request that the proxy treats as one request, while the target server interprets it as two separate requests. This makes it possible to inject an additional request into the communication stream, which is processed by the server in the context of another user or with elevated privileges.

Impact

An attacker can gain unauthorized access to application resources, bypass security control mechanisms, hijack another user's session, lead to disclosure of sensitive data, and potentially execute arbitrary code on the server (RCE).

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references. Additionally, it is recommended to verify the proxy layer configuration for consistent handling of Transfer-Encoding and Content-Length headers, and to limit the application's exposure to public network traffic until the patch is applied.

Who is affected

netease-youdao/qanything version 1.4.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Youdao Qanything

    APP
    Youdao
    1.4.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-12864HIGH7.5ten sam produkt

A Denial of Service (DoS) vulnerability was discovered in the file upload feature of netease-youdao/qanything ...

CVE-2024-12866HIGH7.5ten sam produkt

A local file inclusion vulnerability exists in netease-youdao/qanything version v2.0.0. This vulnerability all...

CVE-2024-8024HIGH7.5ten sam produkt

A CORS misconfiguration vulnerability exists in netease-youdao/qanything version 1.4.1. This vulnerability all...

CVE-2024-8027MEDIUM6.1ten sam produkt

A stored Cross-Site Scripting (XSS) vulnerability exists in netease-youdao/QAnything. Attackers can upload mal...