CVE-2024-57610

CVE-2024-57610 is a rate limiting vulnerability in Sylius version 2.0.2, an open-source e-commerce platform. The flaw enables remote attackers to bypass restrictions and perform unrestricted brute-force attacks on user accounts, elevating risks of account compromise and denial of service for legitimate users. It is associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction. By sending unlimited authentication attempts, the attacker can guess credentials to gain unauthorized access to accounts or flood the login system, disrupting service for valid users.

The supplier maintains that Sylius core software is not intended to handle brute-force protection, advising customers to deploy firewalls, rate-limiting middleware, or external authentication providers for mitigation. Relevant resources include the Sylius GitHub repository (https://github.com/Sylius/Sylius), a dedicated CVE repository (https://github.com/nca785/CVE-2024-57610), and the Sylius website (https://sylius.com/).