RaspAP raspap-webgui HTTP POST Request provider.php code injection
Description
A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. This issue affects some unknown processing of the file includes/provider.php of the component HTTP POST Request Handler. The manipulation of the argument country leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-256919. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Critical code injection in RaspAP raspap-webgui 3.0.9 via HTTP POST to includes/provider.php allows remote unauthenticated attackers to execute arbitrary code.
Vulnerability
Overview
CVE-2024-2497 is a critical code injection vulnerability in RaspAP raspap-webgui version 3.0.9. The flaw resides in the includes/provider.php file, specifically within the HTTP POST request handler. By manipulating the country argument, an attacker can inject arbitrary code. The root cause is insufficient sanitization of user-supplied input before it is processed [2].
Exploitation
The attack is remotely exploitable without authentication. An attacker sends a crafted HTTP POST request to the vulnerable endpoint, supplying malicious payloads in the country parameter. No special network position is required beyond reachability of the RaspAP web interface. The exploit has been publicly disclosed, increasing the risk of widespread use [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code on the target device, typically with the privileges of the web server (e.g., www-data). This can lead to full compromise of the router, including data exfiltration, installation of backdoors, or disruption of network services. Given RaspAP's role as a wireless router management platform, the impact on affected Debian-based devices (including Raspberry Pi) is severe [1][2].
Mitigation
As of the publication date, the vendor has not responded to disclosure and no patch is available. Users are advised to restrict network access to the RaspAP web interface, use firewall rules, or consider alternative software. The vulnerability is listed with VDB-256919 and is considered critical (CVSS 4.0 not yet assigned by NVD) [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
billz/raspap-webguiPackagist | <= 3.0.9 | — |
Affected products
2- RaspAP/raspap-webguiv5Range: 3.0.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- toradah.notion.site/Code-Injection-Leading-to-Remote-Code-Execution-RCE-in-RaspAP-Web-GUI-d321e1a416694520bec7099253c65060ghsaexploitWEB
- github.com/advisories/GHSA-99wg-vmvq-2cp5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-2497ghsaADVISORY
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.