CVE-2024-55963
Published: 26 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2024-55963 affects Appsmith versions prior to 1.51 and involves incorrect access control checks (CWE-284) on the restart API endpoint. Non-administrative users can trigger this API, causing the Appsmith server to restart within its container. While the impact is confined to the Appsmith server itself, repeated invocations enable a denial-of-service condition.
The vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), indicating network accessibility, low attack complexity, and exploitation requiring only low privileges with no user interaction. An authenticated attacker with a standard user account can repeatedly call the restart API to disrupt service availability, though confidentiality and integrity are not impacted.
The official advisory from Appsmith, available at https://github.com/appsmithorg/appsmith/security/advisories/GHSA-6mc8-hw5c-7qqr, addresses mitigation. Organizations should upgrade to Appsmith 1.51 or later, which enforces proper super user permission checks on the restart API requests.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows low-privileged authenticated users to invoke the restart API, directly enabling denial of service by restarting the application server.