HTTP Request Smuggling in SAP Approuter
SAP Approuter (@sap/approuter npm)
SAP Approuter is the authentication and routing gateway for SAP BTP and CAP applications — if your organisation has cloud-native SAP workloads, Approuter is almost certainly in the path. Unauthenticated HTTP request smuggling at CVSS 9.1 with no authentication required is an urgent fix. Coordinate with your BTP/cloud team immediately.
Vulnerability Detail
An HTTP request smuggling vulnerability in SAP Approuter allows an unauthenticated remote attacker to inject malicious HTTP requests that are interpreted differently by the Approuter and the upstream application server. This can be used to bypass security controls, hijack authenticated sessions, or poison server-side caches. Exploitable in non-Cloud Foundry deployment environments.
Workaround
Ensure Approuter is not directly internet-exposed without a hardened reverse proxy or WAF in front. Review proxy configuration for request normalisation settings.
Patch Action
Upgrade @sap/approuter to version 20.10.0 or higher. Apply SAP Note 3720138.
Affected Versions
Patch Info