CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-51738: Sunshine improperly enforces pairing protocol request order

7.7 CVSS

Description

Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.

Classification

CVE ID: CVE-2024-51738

CVSS Base Severity: HIGH

CVSS Base Score: 7.7

Affected Products

Vendor: LizardByte

Product: Sunshine

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.68% (scored less or equal to compared to others)

EPSS Date: 2025-02-18 (when was this score calculated)

References

https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499
https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd

Timeline

2025-01-21 00:30:19 UTC
CVE

Sunshine improperly enforces pairing protocol request order