CVE-2024-55963
Published: 26 March 2025
Summary
CVE-2024-55963 is a medium-severity Improper Access Control (CWE-284) vulnerability in Appsmith Appsmith. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
Appsmith versions prior to 1.51 are affected by an improper access control vulnerability tracked as CVE-2024-55963 and CWE-284. The restart API lacks required super-user permission checks on incoming requests, allowing any authenticated user to invoke a server restart that remains confined to the Appsmith container itself.
An attacker with low-privileged network access can repeatedly trigger the restart endpoint, producing a denial-of-service condition that degrades availability while leaving confidentiality and integrity untouched; the CVSS 6.5 score reflects this limited but persistent impact.
The associated GitHub security advisory GHSA-6mc8-hw5c-7qqr outlines the root cause and the corrective measures implemented in the 1.51 release.
The EPSS score currently stands at 0.3723 with a recorded peak of 0.3907.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54312
Vulnerability details
An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the restart API on Appsmith, causing a server restart. This is still within the Appsmith container, and the impact is limited…
more
to Appsmith's own server only, but there is a denial of service because it can be continually restarted. This is due to incorrect access control checks, which should check for super user permissions on the incoming request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows low-privileged authenticated users to invoke the restart API, directly enabling denial of service by restarting the application server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations on APIs like the restart endpoint to prevent non-admin users from triggering server restarts.
Implements least privilege to restrict restart API access to only super users, complementing enforcement checks.
Protects against denial-of-service from repeated restart invocations by limiting their effects on system availability.