Cyber Resilience

CVE-2024-51144

High

Published: 05 March 2025

Published
05 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0312 87.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-51144 is a high-severity CSRF (CWE-352) vulnerability in Github (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked in the top 12.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-51144 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, affecting Ampache versions up to and including 6.6.0. The issue exists in the endpoints pvmsg.php?action=add_message, pvmsg.php?action=confirm_delete, and ajax.server.php?page=user&action=flip_follow, which lack proper CSRF protections.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity by unauthenticated attackers, though it requires user interaction such as clicking a malicious link. An attacker can trick an authenticated user into submitting forged requests to these endpoints, enabling unauthorized actions like adding private messages, confirming message deletions, or toggling user follow status, resulting in high impacts to confidentiality, integrity, and availability.

Advisories and mitigation guidance are available in the Ampache GitHub repository at https://github.com/ampache/ampache, as well as researcher publications at https://nitipoom-jar.github.io/CVE-2024-51144/ and https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2024-51144. Security practitioners should consult these sources for patch details and recommended remediation steps.

EU & UK References

Vulnerability details

Cross Site Request Forgery (CSRF) vulnerability exists in the 'pvmsg.php?action=add_message', pvmsg.php?action=confirm_delete , and ajax.server.php?page=user&action=flip_follow endpoints in Ampache <= 6.6.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

The CSRF vulnerability requires tricking an authenticated user into clicking a malicious link to submit forged requests to unprotected endpoints, directly enabling spearphishing link delivery and malicious link execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24742Shared CWE-352
CVE-2026-4922Shared CWE-352
CVE-2026-40926Shared CWE-352
CVE-2026-25812Shared CWE-352
CVE-2025-59894Shared CWE-352
CVE-2024-47100Shared CWE-352
CVE-2025-26963Shared CWE-352
CVE-2026-38566Shared CWE-352
CVE-2025-25154Shared CWE-352
CVE-2024-12386Shared CWE-352

Affected Assets

Github
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires mechanisms to protect session authenticity, countering CSRF attacks that exploit valid user sessions via forged requests to vulnerable Ampache endpoints.

prevent

Mandates validation of information inputs, including CSRF tokens on state-changing endpoints like pvmsg.php?action=add_message, confirm_delete, and ajax.server.php?page=user&action=flip_follow.

prevent

Requires secure configuration settings for web applications, ensuring CSRF protections such as token generation and validation are implemented and enforced.

References