Cyber Resilience

CVE-2024-53351

Critical

Published: 21 March 2025

Published
21 March 2025
Modified
01 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 26.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53351 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Linuxfoundation Pipecd. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2024-53351 involves insecure permissions in PipeCD version 0.49, classified under CWE-276 (Incorrect Default Permissions). This vulnerability enables attackers to access the service account's token, resulting in escalation of privileges. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts across confidentiality, integrity, and availability.

Remote, unauthenticated attackers can exploit this flaw over the network to obtain the service account token and escalate privileges within the affected PipeCD deployment. No special access or user involvement is needed, allowing widespread potential for compromise in environments running the vulnerable version.

Mitigation details and further advisories are available in the referenced GitHub Gist at https://gist.github.com/HouqiyuA/948a808b8bd48b17b37a4d5e0b6fb005, the PipeCD GitHub repository at https://github.com/pipe-cd/pipecd, and the project website at https://pipecd.dev/. Security practitioners should consult these sources for patching instructions and remediation steps.

EU & UK References

Vulnerability details

Insecure permissions in pipecd v0.49 allow attackers to gain access to the service account's token, leading to escalation of privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The remote unauthenticated vulnerability in the public-facing PipeCD service allows direct access to the service account token, enabling initial access via public-facing application exploitation (T1190) and resulting in privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33217Same vendor: Linuxfoundation
CVE-2026-32613Same vendor: Linuxfoundation
CVE-2026-24124Same vendor: Linuxfoundation
CVE-2026-37530Same vendor: Linuxfoundation
CVE-2026-49157Shared CWE-276
CVE-2025-68137Same vendor: Linuxfoundation
CVE-2026-22593Same vendor: Linuxfoundation
CVE-2026-37525Same vendor: Linuxfoundation
CVE-2026-37526Same vendor: Linuxfoundation
CVE-2024-55215Shared CWE-276

Affected Assets

linuxfoundation
pipecd
≤ 0.49.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the specific flaw in PipeCD v0.49 involving insecure permissions that expose the service account token.

prevent

Mandates protection of authenticator content such as service account tokens from unauthorized disclosure and modification through proper management and secure handling.

prevent

Establishes and documents secure configuration settings to prevent incorrect default permissions that allow access to sensitive service account tokens.

References