CVE-2024-51738 HIGH

CVE-2024-51738: Sunshine improperly enforces pairing protocol request order

Vendor Lizardbyte
Product Sunshine
Weakness CWE-305
Published January 20, 2025
Last update January 21, 2025

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.

Key dates

02Disclosure timeline

January 20, 2025 CVE published
January 21, 2025 Record updated