CVE-2024-57610
Published: 06 February 2025
Summary
CVE-2024-57610 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Sylius Sylius. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2024-57610 is a rate limiting deficiency in Sylius version 2.0.2 that permits unrestricted authentication attempts against user accounts. The flaw is tracked under CWE-307 and carries a CVSS 3.1 score of 7.5, reflecting high impact on availability with no required privileges or user interaction. The Sylius core itself does not implement brute-force protections, leaving the issue present in any deployment running the affected release.
An unauthenticated remote attacker can send large volumes of login requests to enumerate or compromise accounts through brute force while also degrading service for legitimate users. Because the vulnerability is exploitable over the network without authentication, the attack can originate from any internet-connected host and requires no prior access to the application.
The vendor states that Sylius is not designed to mitigate brute-force attacks and directs customers to deploy external controls such as firewalls, rate-limiting middleware, or dedicated authentication providers. No official patch addressing the rate-limiting gap within the core framework is referenced in the available advisories.
The associated EPSS score reached a peak of 0.1227 after disclosure before settling at 0.0977, indicating modest but sustained external interest in the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53645
Vulnerability details
A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius…
more
core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use "firewalls, rate-limiting middleware, or authentication providers" for that functionality.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The absence of rate limiting on the login endpoint enables unrestricted brute-force attacks (T1110) against user accounts, facilitating credential guessing or spraying without restrictions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-7 enforces restrictions on the number of consecutive unsuccessful logon attempts, directly preventing brute-force attacks on user accounts exploited by this CVE.
SC-5 implements denial-of-service protections such as rate limiting, mitigating the flooding of authentication endpoints that causes service disruption for legitimate users.
SC-7 provides boundary protection via firewalls or middleware to enforce rate limiting on external network access, addressing the remote unauthenticated brute-force exploitation.