CVE-2024-10264 – CVE-2024-10264 is an HTTP request smuggling vul... (How to Fix)

Q: What is the severity of CVE-2024-10264?

CVE-2024-10264 has a CVSS score of 9.8 (CRITICAL). CVE-2024-10264 is an HTTP request smuggling vulnerability in netease-youdao/qanything version 1.4.1 that allows attackers to bypass security controls by exploiting differences in how HTTP requests are interpreted between proxies and servers. This can lead to unauthorized access, session hijacking, and data leakage. Organizations using qanything version 1.4.1 are affected.

📋 TL;DR

CVE-2024-10264 is an HTTP request smuggling vulnerability in netease-youdao/qanything version 1.4.1 that allows attackers to bypass security controls by exploiting differences in how HTTP requests are interpreted between proxies and servers. This can lead to unauthorized access, session hijacking, and data leakage. Organizations using qanything version 1.4.1 are affected.

💻 Affected Systems

Products:

netease-youdao/qanything

Versions: 1.4.1

Operating Systems: all

Default Config Vulnerable: ⚠️ Yes

Notes: Any deployment using qanything 1.4.1 with HTTP traffic passing through proxies is vulnerable.

📦 What is this software?

Qanything by Youdao

View all CVEs affecting Qanything →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers achieve arbitrary code execution, gain full system control, and exfiltrate sensitive data from the qanything application and underlying infrastructure.

🟠

Likely Case

Attackers bypass authentication, hijack user sessions, access unauthorized data, and potentially manipulate application functionality.

🟢

If Mitigated

With proper network segmentation and WAF rules, impact is limited to potential service disruption and limited data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires understanding of HTTP request smuggling techniques and ability to craft malicious requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.2 or later

Vendor Advisory: https://huntr.com/bounties/988247d5-fd60-4d85-845a-e867d62c0d02

Restart Required: Yes

Instructions:

1. Update qanything to version 1.4.2 or later. 2. Restart the qanything service. 3. Verify the update was successful.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Configure WAF to detect and block HTTP request smuggling attempts

Proxy Configuration Hardening

all

Ensure all proxies in the traffic path are configured to reject ambiguous HTTP requests

🧯 If You Can't Patch

Isolate qanything instances behind dedicated proxies with strict HTTP parsing
Implement network segmentation to limit potential lateral movement

🔍 How to Verify

Check if Vulnerable:

Check if running qanything version 1.4.1. Use HTTP request smuggling testing tools against the application.

Check Version:

Check qanything configuration files or deployment manifests for version information

Verify Fix Applied:

Verify qanything version is 1.4.2 or later. Test with HTTP request smuggling tools to confirm vulnerability is patched.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP request patterns
Multiple requests with same connection
Malformed HTTP headers

Network Indicators:

HTTP requests with conflicting Content-Length and Transfer-Encoding headers
Unexpected request smuggling patterns

SIEM Query:

source="qanything" AND (http.request.header="Transfer-Encoding" OR http.request.header="Content-Length") AND event.action="anomaly"

📊 Metadata

CVE ID: CVE-2024-10264

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-444

EPSS Score: 0.34% exploit probability (55.8th percentile)

Published: March 20, 2025

Last Updated: August 1, 2025

🔗 References

https://huntr.com/bounties/988247d5-fd60-4d85-845a-e867d62c0d02 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10264, you might also want to check these: