CVE-2024-51738

Summary

Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.

Affected Software

VendorProductVersion RangeStatus
LizardByteSunshine< 2025.118.151840affected

Weaknesses

  • CWE-305: CWE-305: Authentication Bypass by Primary Weakness
  • CWE-476: CWE-476: NULL Pointer Dereference
  • CWE-841: CWE-841: Improper Enforcement of Behavioral Workflow

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References