CVE-2024-57190
Description
Erxes <1.6.1 is vulnerable to Incorrect Access Control. An attacker can bypass authentication by providing a "User" HTTP header that contains any user, allowing them to talk to any GraphQL endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Erxes <1.6.1 allows authentication bypass via an unchecked 'User' HTTP header, enabling arbitrary GraphQL endpoint access.
Vulnerability
The vulnerability stems from the lack of validation on the User HTTP header passed between Erxes microservices. The platform trusts that the header is set internally and never verifies its authenticity, allowing an attacker to forge the identity of any user without proper authentication [1].
Exploitation
An unauthenticated attacker can craft an HTTP request to any GraphQL endpoint, simply adding a User header containing the _id of any existing user. No credentials or prior access are required; the header is accepted as the user's identity, bypassing all authentication checks [1][3]. The attack surface is broad as the GraphQL endpoints handle sensitive operations across the entire system.
Impact
Successful exploitation gives the attacker full privileges of the impersonated user, including access to personal data, administrative functionalities, and the ability to modify system settings. When combined with other vulnerabilities like path traversal (also disclosed in the same research), the impact escalates to complete server takeover [1].
Mitigation
Erxes fixed this issue in version 1.6.3 by removing the User header at the application ingress (commit 4ed2ca7) [4]. Users should upgrade to Erxes 1.6.3 or later to prevent authentication bypass.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
erxesnpm | < 1.6.1 | 1.6.1 |
Affected products
2- Erxes/Erxesdescription
Patches
14ed2ca797241hotfix(security): GraphQL Authentication Bypass
3 files changed · +12 −0
packages/core/src/data/resolvers/queries/users.ts+4 −0 modified@@ -390,6 +390,10 @@ const userQueries = { * Current user */ currentUser(_root, _args, { user, models }: IContext) { + // this is important for security reasons + if (typeof user?._id !== 'string') { + return null; + } return user ? models.Users.findOne({ _id: user._id, isActive: { $ne: false } }) : null;
packages/gateway/src/index.ts+6 −0 modified@@ -28,6 +28,12 @@ const { DOMAIN, WIDGETS_DOMAIN, CLIENT_PORTAL_DOMAINS, ALLOWED_ORIGINS, PORT } = process.env; (async () => { + app.use((req, _res, next) => { + // this is important for security reasons + delete req.headers['user']; + next(); + }); + app.use(cookieParser()); app.use(userMiddleware);
packages/gateway/src/middlewares/userMiddleware.ts+2 −0 modified@@ -21,6 +21,8 @@ export default async function userMiddleware( _res: Response, next: NextFunction, ) { + // this is important for security reasons + delete req.headers['user']; const url = req.headers['erxes-core-website-url']; const erxesCoreToken = req.headers['erxes-core-token'];
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7rhv-xm4q-wh42ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-57190ghsaADVISORY
- github.com/erxes/erxes/commit/4ed2ca797241d2ba0c9083feeadd9755c1310ce8ghsaWEB
- www.sonarsource.com/blog/micro-services-major-headaches-detecting-vulnerabilities-in-erxes-microservicesghsaWEB
- www.sonarsource.com/blog/micro-services-major-headaches-detecting-vulnerabilities-in-erxes-microservices/mitre
News mentions
0No linked articles in our index yet.