Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.
CVE ID: CVE-2024-51738
CVSS Base Severity: HIGH
CVSS Base Score: 7.7
Vendor: LizardByte
Product: Sunshine
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 11.68% (scored less or equal to compared to others)
EPSS Date: 2025-02-18 (when was this score calculated)