Cyber Resilience

CVE-2024-29224

CriticalRCE

Published: 21 November 2024

Published
21 November 2024
Modified
17 December 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0402 88.7th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-29224 is a critical-severity OS Command Injection (CWE-78) vulnerability in Mayuresh82 Gocast. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 11.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An OS command injection vulnerability exists in the NAT parameter of GoCast version 1.1.3. A specially crafted HTTP request can trigger arbitrary command execution on the affected system, corresponding to CWE-78 and carrying a CVSS 3.1 score of 9.8.

An unauthenticated attacker can exploit the flaw by sending a malicious HTTP request over the network, achieving full control over the target without requiring credentials or user interaction.

Public advisories from Talos Intelligence detail the issue under TALOS-2024-1961 and are available at the referenced URLs.

The associated EPSS score rose from a low baseline after disclosure to a peak of 0.0665 on 2025-12-11 before receding to the current value of 0.0402, indicating a period of increased exploitation interest.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in the NAT parameter of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mayuresh82
gocast
1.1.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References