CVE-2024-51738

Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd	Patch
https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*

History

11 Sep 2025, 21:33

Type	Values Removed	Values Added
CPE		cpe:2.3:a:lizardbyte:sunshine::::::::
Summary		(es) Sunshine es un servidor de transmisión de juegos autoalojado para Moonlight. En la versión 0.23.1 y anteriores, la implementación del protocolo de emparejamiento de Sunshine no valida el orden de las solicitudes y, por lo tanto, es vulnerable a un ataque MITM, lo que potencialmente permite que un atacante no autenticado empareje un cliente secuestrando un intento de emparejamiento legítimo. Un atacante remoto también puede usar este error para bloquear Sunshine. Esta vulnerabilidad se corrigió en 2025.118.151840.
First Time		Lizardbyte sunshine Lizardbyte
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1
References	~~() https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd -~~	() https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd - Patch
References	~~() https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499 -~~	() https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499 - Vendor Advisory

20 Jan 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-20 16:15

Updated : 2025-09-11 21:33

NVD link : CVE-2024-51738

Mitre link : CVE-2024-51738

CVE.ORG link : CVE-2024-51738

JSON object : View

Products Affected

lizardbyte

sunshine

CWE

CWE-305

Authentication Bypass by Primary Weakness

CWE-476

NULL Pointer Dereference

CWE-841

Improper Enforcement of Behavioral Workflow

8.1 /10