CVE-2024-51738

Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd	Patch
https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-01-20 16:15

Updated : 2025-09-11 21:33

NVD link : CVE-2024-51738

Mitre link : CVE-2024-51738

CVE.ORG link : CVE-2024-51738

JSON object : View

Products Affected

lizardbyte

sunshine

CWE

CWE-305

Authentication Bypass by Primary Weakness

CWE-476

NULL Pointer Dereference

CWE-841

Improper Enforcement of Behavioral Workflow

{"id": "CVE-2024-51738", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-01-20T16:15:27.667", "references": [{"url": "https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-305"}, {"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-841"}]}], "descriptions": [{"lang": "en", "value": "Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840."}, {"lang": "es", "value": "Sunshine es un servidor de transmisi\u00f3n de juegos autoalojado para Moonlight. En la versi\u00f3n 0.23.1 y anteriores, la implementaci\u00f3n del protocolo de emparejamiento de Sunshine no valida el orden de las solicitudes y, por lo tanto, es vulnerable a un ataque MITM, lo que potencialmente permite que un atacante no autenticado empareje un cliente secuestrando un intento de emparejamiento leg\u00edtimo. Un atacante remoto tambi\u00e9n puede usar este error para bloquear Sunshine. Esta vulnerabilidad se corrigi\u00f3 en 2025.118.151840."}], "lastModified": "2025-09-11T21:33:04.643", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6CCACC5-BB09-47AF-ADD4-7E2D267B4CDB", "versionEndExcluding": "2025.118.151840"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}