Unrated severityNVD Advisory· Published Jan 20, 2025· Updated Jan 21, 2025

Sunshine improperly enforces pairing protocol request order

CVE-2024-51738

Description

Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.

Affected products

Lizardbyte/Sunshinev5
Range: < 2025.118.151840

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7ddmitrex_refsource_MISC
github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000