CRITICAL🇵🇱 Wersja polska

CVE-2024-27922

CVSS 9.8v3.1pub. 2024-03-21upd. 2026-01-02

TOMP Bare Server implements the TompHTTP bare server. A vulnerability in versions prior to 2.0.2 relates to insecure handling of HTTP requests by the @tomphttp/bare-server-node package. This flaw potentially exposes the users of the package to manipulation of their web traffic. The impact may vary depending on the specific usage of the package but it can potentially affect any system where this package is in use. The problem has been patched in version 2.0.2. As of time of publication, no specific workaround strategies have been disclosed.

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-444 (Inconsistent Interpretation of HTTP Requests, also known as HTTP Request Smuggling) and results from inconsistent processing of HTTP requests by the Bare server. An attacker can send crafted HTTP requests that are interpreted differently by successive layers of network infrastructure. As a result, it is possible to inject or modify network traffic directed to other users using the proxy server.

Impact

An attacker can manipulate network traffic of server users, potentially intercepting or modifying transmitted data, leading to violations of confidentiality, integrity, and system availability.

Mitigation & patch

The @tomphttp/bare-server-node package should be updated to version 2.0.2, where the issue has been fixed. The vendor has not disclosed any alternative workarounds for this vulnerability.

Who is affected

Tomphttp Tomp Bare Server (package @tomphttp/bare-server-node) in versions prior to 2.0.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Tomphttp Tomp Bare Server

    APP
    Tomphttp
    < 2.0.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References