HIGH🇬🇧 English

CVE-2024-31220

CVSS 7.3v3.1pub. 2024-04-05upd. 2025-09-11

Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the `node_modules` endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Lizardbyte Sunshine

    APP
    Lizardbyte
    0.16.0 – 0.18.0 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
Path TraversalFirewall
CWE
Referencje

Powiązane podatności

CVE-2026-32253CRITICAL9.8PL ✓ten sam produkt

Auth Bypass w Lizardbyte Sunshine — obejście weryfikacji certyfikatu klienta

CVE-2025-53095CRITICAL9.6PL ✓ten sam produkt

CSRF w Sunshine umożliwia RCE z uprawnieniami administratora

CVE-2025-10199HIGH7.8ten sam produkt

A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely...

CVE-2025-10198HIGH7.8ten sam produkt

Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing ...

CVE-2024-51738HIGH7.7ten sam produkt

Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol i...