CVE-2024-31220 in Sunshineinfo

Summary

by MITRE • 04/05/2024

Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the `node_modules` endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 09/12/2025

The vulnerability identified as CVE-2024-31220 affects Sunshine, a self-hosted game stream host designed for Moonlight compatibility. This security flaw represents a critical path traversal vulnerability that allows unauthenticated remote attackers to access arbitrary files on affected systems. The vulnerability specifically impacts versions 0.16.0 through 0.17.0, creating a window of exposure where attackers could exploit the system without requiring valid credentials or authentication. The flaw manifests through the Sunshine configuration web user interface, which when exposed beyond localhost boundaries becomes accessible to external threat actors.

The technical implementation of this vulnerability stems from improper input validation within the web server component of Sunshine. Attackers can exploit this weakness by crafting HTTP requests targeting the node_modules endpoint, which serves as an entry point for accessing the underlying file system. This path traversal flaw enables attackers to navigate through the file system hierarchy and retrieve sensitive files that should remain protected. The vulnerability is particularly concerning because it operates at the web application layer and can be exploited remotely, making it accessible to threat actors regardless of their physical location. The attack vector specifically targets systems where the Sunshine configuration web server has been exposed to the internet or where attackers have network access within the local area network.

The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with access to potentially sensitive system files that could include configuration data, application code, or other confidential information stored within the node_modules directory structure. This access could enable attackers to gather intelligence about the system configuration, identify potential additional vulnerabilities, or extract credentials and other sensitive materials. The vulnerability affects any user who has exposed the Sunshine web interface beyond localhost boundaries, making it particularly dangerous for home users or organizations that have not properly configured their firewall rules to restrict access to internal services. The exposure creates a persistent threat vector that remains active until the system is updated to version 0.18.0 or later, which contains the necessary patch to address the path traversal vulnerability.

The mitigation strategy for this vulnerability primarily involves upgrading to Sunshine version 0.18.0 or later, which includes the appropriate patch to resolve the path traversal issue. Organizations and users who cannot immediately upgrade should implement firewall rules to block external access to the Sunshine configuration web server ports, effectively preventing unauthorized remote exploitation. Additionally, network segmentation and proper access controls should be implemented to ensure that internal services remain protected from external threats. This vulnerability aligns with CWE-22, which describes path traversal vulnerabilities, and represents a common attack pattern that falls under the ATT&CK technique T1083, which covers file and directory discovery. The security community recognizes this type of vulnerability as particularly dangerous due to its ability to provide attackers with unauthorized access to system files without requiring authentication, making it a significant concern for any application that exposes web interfaces to untrusted networks.

Responsible

GitHub, Inc.

Reservation

03/29/2024

Disclosure

04/05/2024

Moderation

accepted

CPE

ready

EPSS

0.00491

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!