CVE-2024-57190: 
JavaScript vulnerability analysis and mitigation

Erxes <1.6.1 contains an authentication bypass vulnerability that allows attackers to impersonate any user by providing a "User" HTTP header containing any user information, enabling them to communicate with any GraphQL endpoint (Sonar Blog, GitHub Commit). The vulnerability was discovered in October 2023 and fixed in version 1.6.1 released in February 2024.

The vulnerability exists in the gateway service's authentication mechanism. When an incoming request is not authenticated, the gateway does not set the user header, but it forwards the whole incoming request to the respective service, including any existing user header. This allows attackers to set the header to any user they want to impersonate, including administrators. The services trust the value stored in the user header and use it for further permission checks (Sonar Blog). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

An attacker can bypass authentication and impersonate any user, including administrators. This allows unauthorized access to all data stored in the application and the ability to create additional admin accounts for persistent access. The vulnerability effectively compromises the entire authentication system of the application (Sonar Blog).

The vulnerability has been patched in Erxes version 1.6.1 and later by deleting the user header from all incoming HTTP requests. Users should upgrade to version 1.6.3 or later to receive all security fixes (Sonar Blog, GitHub Commit).

The vulnerability was responsibly disclosed to Erxes by SonarSource researchers in October 2023. After the initial 90-day disclosure deadline elapsed, Erxes addressed the vulnerability in February 2024 with version 1.6.1 (Sonar Blog).