CVE-2024-2497: RaspAP Vulnerable to Code Injection via an Unknown Process in File `includes/provider.php`

March 15, 2024 (updated April 10, 2025)

A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256919. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/RaspAP/raspap-webgui
github.com/advisories/GHSA-99wg-vmvq-2cp5
nvd.nist.gov/vuln/detail/CVE-2024-2497
toradah.notion.site/Code-Injection-Leading-to-Remote-Code-Execution-RCE-in-RaspAP-Web-GUI-d321e1a416694520bec7099253c65060?pvs=4
vuldb.com/?ctiid.256919
vuldb.com/?id.256919

Code Behaviors & Features

Detect and mitigate CVE-2024-2497 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →