Cyber Posture

CVE-2024-55073

HighPublic PoC

Published: 27 March 2025

Published
27 March 2025
Modified
11 April 2025
KEV Added
Patch
CVSS Score 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0014 34.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55073 is a high-severity Missing Authorization (CWE-862) vulnerability in Mealie Mealie. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to user profiles via API endpoints like /api/users/{user-id}, directly preventing unauthorized self-edits that escalate privileges.

AC-24 Access Control Decisions good match
prevent

Provides capability for access control decisions based on specific objects such as user IDs, mitigating broken object-level authorization in profile editing.

AC-6 Least Privilege partial match
prevent

Employs least privilege to restrict user permissions, limiting the potential impact of self-escalation through unauthorized profile modifications.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The broken object-level authorization vulnerability directly enables low-privileged authenticated users to bypass access controls and escalate privileges by modifying user profiles and permissions.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows users to edit their own profile in order to give themselves more permissions or to change their household.

Deeper analysisAI

CVE-2024-55073 is a Broken Object Level Authorization vulnerability (CWE-862) in the /api/users/{user-id} component of hay-kot mealie v2.2.0. Published on 2025-03-27, it carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L). The flaw enables improper editing of user profiles, bypassing intended access controls.

Low-privileged authenticated users (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity and no user interaction. By targeting the vulnerable endpoint, attackers can modify their own profile to assign themselves elevated permissions or alter their household affiliation, achieving high integrity impact through potential privilege escalation.

Mitigation details are available in related advisories, including the GitHub issue at https://github.com/mealie-recipes/mealie/issues/4593 and the security post at https://m10x.de/posts/2025/03/all-your-recipe-are-belong-to-us-part-3/3-broken-access-controls-leading-to-privilege-escalation-and-more-in-mealie/.

Details

CWE(s)
CWE-862

Affected Products

mealie
mealie
2.2.0

CVEs Like This One

CVE-2025-48574Shared CWE-862
CVE-2024-57726Shared CWE-862
CVE-2025-24734Shared CWE-862
CVE-2025-48578Shared CWE-862
CVE-2025-7695Shared CWE-862
CVE-2025-2815Shared CWE-862
CVE-2026-39355Shared CWE-862
CVE-2026-29180Shared CWE-862
CVE-2025-23025Shared CWE-862
CVE-2026-20626Shared CWE-862

References