CVE-2024-51738
Published: 20 January 2025
Description
Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.
Security Summary
CVE-2024-51738 affects Sunshine, a self-hosted game stream host for Moonlight, in versions 0.23.1 and earlier. The vulnerability stems from the pairing protocol implementation, which fails to validate request order, enabling a man-in-the-middle (MITM) attack. This issue is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-305 (Incorrect Inheritance of Permissions), CWE-476 (NULL Pointer Dereference), and CWE-841 (Improper Enforcement of Behavioral Workflow).
An unauthenticated remote attacker can exploit this vulnerability by positioning themselves between a legitimate client and the Sunshine server during a pairing attempt. By hijacking the pairing process, the attacker can successfully pair their own client, potentially gaining unauthorized access to the game streaming service. Additionally, the flaw allows a remote attacker to crash the Sunshine instance.
The vulnerability has been fixed in version 2025.118.151840. Security practitioners should update to this patched version. Relevant details are available in the GitHub security advisory at https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499 and the fixing commit at https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd.
Details
- CWE(s)