What is the CVSS score of CVE-2024-57177?

CVE-2024-57177 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. EPSS exploitation probability: 0.1%.

Which versions of Node.js are affected by CVE-2024-57177?

Organizations using the NPM package of perfood/couch-auth face moderate risk from CVE-2024-57177 rated CVSS 7.3. Exploitation could compromise the security of affected deployments.

How to fix or mitigate CVE-2024-57177?

Within 30 days: Identify all affected systems running the NPM package of perfood/couch-auth and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Node.js CVE-2024-57177

HIGH

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2025-02-10 cve@mitre.org

Node.js Information Disclosure Ssti

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:25 vuln.today

CVE Published

Feb 10, 2025 - 20:15 nvd

HIGH 7.3

DescriptionNVD

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information

AnalysisAI

A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-1336. A host header injection vulnerability exists in the NPM package of perfood/couch-auth <= 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information

Affected ProductsAI

See vendor advisory for affected versions.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More from same product – last 7 days

CVE-2026-47668 CRITICAL Act Now POC

10.0 Jun 05

Unauthenticated remote code execution in DbGate (npm package dbgate-serve, versions <= 7.1.8) lets remote attackers exec

CVE-2025-71329 HIGH This Week POC

8.7 Jun 10

Denial of service in the image-size Node.js library through version 2.0.2 allows remote unauthenticated attackers to per

CVE-2025-71330 HIGH This Week POC

8.7 Jun 10

Denial of service in the image-size Node.js library (versions up to and including 2.0.2) allows remote unauthenticated a

CVE-2026-48017 HIGH This Week

8.8 Jun 05

Remote code execution in DbGate (npm package dbgate-api) versions 7.1.8 and earlier allows any authenticated user with b

CVE-2026-47684 HIGH This Week

7.7 Jun 05

Server-Side Request Forgery in Sync-in Server versions 2.2.1 and earlier allows authenticated low-privileged users to by

CVE-2024-57177 vulnerability details – vuln.today

Back