Path Traversal Vulnerability in Sunshine Game Stream Host by LizardByte
CVE-2024-31220
What is CVE-2024-31220?
Sunshine, a self-hosted game stream host developed by LizardByte, is vulnerable to a path traversal issue that permits unauthorized remote access to arbitrary files. This vulnerability affects versions 0.16.0 up to 0.17.x, enabling attackers to exploit the Sunshine configuration web user interface if exposed to non-localhost networks. If the Sunshine config web server is accessible over the internet or within the local area network, attackers could send crafted HTTP/S requests to the node_modules directory to retrieve sensitive information. To mitigate this risk, upgrading to version 0.18.0 is strongly recommended as it contains necessary security patches, or alternatively, restricting access through firewall configurations should be implemented.