CVE-2024-51738
Published: 20 January 2025
Summary
CVE-2024-51738 is a high-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Lizardbyte Sunshine. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SC-8 (Transmission Confidentiality and Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the pairing protocol flaw by requiring timely patching to the fixed version 2025.118.151840.
Prevents MITM hijacking of pairing requests by enforcing confidentiality and integrity protections on all network transmissions.
Protects the authenticity of pairing sessions against hijacking and unauthorized client pairing by requiring session-specific mechanisms.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln enables remote unauthenticated exploitation of public-facing Sunshine server via MITM hijacking of pairing protocol for unauthorized access.
NVD Description
Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by…
more
hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.
Deeper analysisAI
CVE-2024-51738 affects Sunshine, a self-hosted game stream host for Moonlight, in versions 0.23.1 and earlier. The vulnerability stems from the pairing protocol implementation, which fails to validate request order, enabling a man-in-the-middle (MITM) attack. This issue is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-305 (Incorrect Inheritance of Permissions), CWE-476 (NULL Pointer Dereference), and CWE-841 (Improper Enforcement of Behavioral Workflow).
An unauthenticated remote attacker can exploit this vulnerability by positioning themselves between a legitimate client and the Sunshine server during a pairing attempt. By hijacking the pairing process, the attacker can successfully pair their own client, potentially gaining unauthorized access to the game streaming service. Additionally, the flaw allows a remote attacker to crash the Sunshine instance.
The vulnerability has been fixed in version 2025.118.151840. Security practitioners should update to this patched version. Relevant details are available in the GitHub security advisory at https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499 and the fixing commit at https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd.
Details
- CWE(s)