CVE-2024-3187

Description

This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not being nulled when freed during parsing of JST templates. If the ME_GOAHEAD_JAVASCRIPT flag is enabled, a remote attacker with the privileges to modify JavaScript template (JST) files could exploit this by providing malicious templates. This may lead to memory corruption, potentially causing a Denial of Service (DoS) or, in rare cases, code execution, though the latter is highly context-dependent.

Remediation

Solution:

  • It is recommended to apply fixes introduced in version 6.0.1 of GoAhead and use the latest version available as base for building custom web servers.

Category

5.9
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.34%
Affected: EmbedThis GoAhead
Published at:
Updated at:

References

Link Tags
https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-3187

Frequently Asked Questions

What is the severity of CVE-2024-3187?
CVE-2024-3187 has been scored as a medium severity vulnerability.
How to fix CVE-2024-3187?
To fix CVE-2024-3187: It is recommended to apply fixes introduced in version 6.0.1 of GoAhead and use the latest version available as base for building custom web servers.
Is CVE-2024-3187 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-3187 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-3187?
CVE-2024-3187 affects EmbedThis GoAhead.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.