CVE-2024-31220

HIGH EPSS 38.5%

Published Apr 5, 20242y ago · Modified Jun 17, 20261w ago

7.3 CVSS 3.1

High

Published Apr 5, 2024 2y ago

Last Modified Jun 17, 2026 1w ago

Description

Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the `node_modules` endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall.

CVSS Details

Base Score

7.3

Exploitability

3.9

Impact

3.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability Low

Threat Intelligence

EPSS Exploit Probability

38.5% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

Vendor	Product	Version	Range
lizardbyte	sunshine	*	≥0.16.0 – <0.18.0

References 2

github.com https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0

Release Notes
github.com https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.