Vulnerabilites related to LizardByte - Sunshine
CVE-2024-31226 (GCVE-0-2024-31226)
Vulnerability from cvelistv5
Published
2024-05-16 18:12
Modified
2024-08-15 14:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-428 - Unquoted Search Path or Element
Summary
Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp | x_refsource_CONFIRM | |
| https://github.com/LizardByte/Sunshine/pull/2379 | x_refsource_MISC | |
| https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Version: >= 0.17.0, < 0.23.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.972Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"
},
{
"name": "https://github.com/LizardByte/Sunshine/pull/2379",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2379"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "sunshine",
"vendor": "lizardbyte",
"versions": [
{
"lessThan": "0.23",
"status": "affected",
"version": "0.17",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T20:37:55.439986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-15T14:28:39.036Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.17.0, \u003c 0.23.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\\Program.exe`, `C:\\Program.bat`, or `C:\\Program.cmd` on the user\u0027s computer. This attack vector isn\u0027t exploitable unless the user has manually loosened ACLs on the system drive. If the user\u0027s system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428: Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-16T18:12:57.081Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"
},
{
"name": "https://github.com/LizardByte/Sunshine/pull/2379",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2379"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a"
}
],
"source": {
"advisory": "GHSA-r3rw-mx4q-7vfp",
"discovery": "UNKNOWN"
},
"title": "Sunshine\u0027s unquoted executable path could lead to hijacked execution flow"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31226",
"datePublished": "2024-05-16T18:12:57.081Z",
"dateReserved": "2024-03-29T14:16:31.902Z",
"dateUpdated": "2024-08-15T14:28:39.036Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53096 (GCVE-0-2025-53096)
Vulnerability from cvelistv5
Published
2025-07-01 01:33
Modified
2025-07-01 13:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
Summary
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/LizardByte/Sunshine/security/advisories/GHSA-x97g-h2vp-g2c5 | x_refsource_CONFIRM | |
| https://github.com/LizardByte/Sunshine/commit/2f27a57d01911436017f87bf08b9e36dcfaa86cc | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Version: < 2025.628.4510 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T13:21:36.325765Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T13:21:41.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.628.4510"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1021",
"description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T01:33:01.336Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-x97g-h2vp-g2c5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-x97g-h2vp-g2c5"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/2f27a57d01911436017f87bf08b9e36dcfaa86cc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/2f27a57d01911436017f87bf08b9e36dcfaa86cc"
}
],
"source": {
"advisory": "GHSA-x97g-h2vp-g2c5",
"discovery": "UNKNOWN"
},
"title": "Sunshine clickjacking in the UI leads to unauthorized actions being performed"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53096",
"datePublished": "2025-07-01T01:33:01.336Z",
"dateReserved": "2025-06-25T13:41:23.086Z",
"dateUpdated": "2025-07-01T13:21:41.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45407 (GCVE-0-2024-45407)
Vulnerability from cvelistv5
Published
2024-09-10 15:13
Modified
2024-09-10 16:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-300 - Channel Accessible by Non-Endpoint
Summary
Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Version: >= 5fcd07ecb1428bfe245ad6fa349aead476c7e772, < fd7e68457a134102d1b30af5796c79f2aa623224 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T16:12:07.341939Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T16:12:18.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003e= 5fcd07ecb1428bfe245ad6fa349aead476c7e772, \u003c fd7e68457a134102d1b30af5796c79f2aa623224"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-300",
"description": "CWE-300: Channel Accessible by Non-Endpoint",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T15:13:20.126Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-jqph-8cp5-g874",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-jqph-8cp5-g874"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224"
}
],
"source": {
"advisory": "GHSA-jqph-8cp5-g874",
"discovery": "UNKNOWN"
},
"title": "Sunshine has incorrect state management during pairing process may lead to incorrectly authorized client"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45407",
"datePublished": "2024-09-10T15:13:20.126Z",
"dateReserved": "2024-08-28T20:21:32.804Z",
"dateUpdated": "2024-09-10T16:12:18.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54081 (GCVE-0-2025-54081)
Vulnerability from cvelistv5
Published
2025-09-23 18:18
Modified
2025-09-23 19:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-428 - Unquoted Search Path or Element
Summary
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h | x_refsource_CONFIRM | |
| https://github.com/LizardByte/Sunshine/commit/f22b00d6981f756d3531fba0028723d4a5065824 | x_refsource_MISC | |
| https://github.com/LizardByte/Sunshine/releases/tag/v2025.923.33222 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Version: < 2025.923.33222 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54081",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-23T19:15:27.573785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T19:17:53.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.923.33222"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM) interprets the path incrementally and may execute a malicious binary placed earlier in the search string. This issue has been patched in version 2025.923.33222."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428: Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-23T18:18:39.474Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6p7j-5v8v-w45h"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/f22b00d6981f756d3531fba0028723d4a5065824",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/f22b00d6981f756d3531fba0028723d4a5065824"
},
{
"name": "https://github.com/LizardByte/Sunshine/releases/tag/v2025.923.33222",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/releases/tag/v2025.923.33222"
}
],
"source": {
"advisory": "GHSA-6p7j-5v8v-w45h",
"discovery": "UNKNOWN"
},
"title": "SunshineService Has Unquoted Service Path That Allows Local SYSTEM Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54081",
"datePublished": "2025-09-23T18:18:39.474Z",
"dateReserved": "2025-07-16T13:22:18.207Z",
"dateUpdated": "2025-09-23T19:17:53.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-51738 (GCVE-0-2024-51738)
Vulnerability from cvelistv5
Published
2025-01-20 15:26
Modified
2025-01-21 14:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499 | x_refsource_CONFIRM | |
| https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Version: < 2025.118.151840 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-51738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-21T14:59:20.927312Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-21T14:59:35.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.118.151840"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine\u0027s pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305: Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-841",
"description": "CWE-841: Improper Enforcement of Behavioral Workflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-20T15:26:03.955Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd"
}
],
"source": {
"advisory": "GHSA-3hrw-xv8h-9499",
"discovery": "UNKNOWN"
},
"title": "Sunshine improperly enforces pairing protocol request order"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-51738",
"datePublished": "2025-01-20T15:26:03.955Z",
"dateReserved": "2024-10-31T14:12:45.788Z",
"dateUpdated": "2025-01-21T14:59:35.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31220 (GCVE-0-2024-31220)
Vulnerability from cvelistv5
Published
2024-04-05 14:59
Modified
2024-08-02 01:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the `node_modules` endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc | x_refsource_CONFIRM | |
| https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Version: >= 0.16.0, < 0.18.0 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31220",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-09T19:25:09.102631Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:28.119Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc"
},
{
"name": "https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.16.0, \u003c 0.18.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the `node_modules` endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-05T14:59:52.662Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc"
},
{
"name": "https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0"
}
],
"source": {
"advisory": "GHSA-6rg7-7m3w-w5wc",
"discovery": "UNKNOWN"
},
"title": "Sunshine vulnerable to remote unauthenticated arbitrary file read"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31220",
"datePublished": "2024-04-05T14:59:52.662Z",
"dateReserved": "2024-03-29T14:16:31.901Z",
"dateUpdated": "2024-08-02T01:46:04.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-31221 (GCVE-0-2024-31221)
Vulnerability from cvelistv5
Published
2024-04-08 15:10
Modified
2024-09-03 18:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-384 - Session Fixation
Summary
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m | x_refsource_CONFIRM | |
| https://github.com/LizardByte/Sunshine/issues/2305 | x_refsource_MISC | |
| https://github.com/LizardByte/Sunshine/pull/2365 | x_refsource_MISC | |
| https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Version: >= 0.10.0, < 0.23.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:05.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m"
},
{
"name": "https://github.com/LizardByte/Sunshine/issues/2305",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/issues/2305"
},
{
"name": "https://github.com/LizardByte/Sunshine/pull/2365",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2365"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31221",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-07T17:59:28.747581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T18:00:09.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.10.0, \u003c 0.23.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-08T15:10:17.071Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m"
},
{
"name": "https://github.com/LizardByte/Sunshine/issues/2305",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/issues/2305"
},
{
"name": "https://github.com/LizardByte/Sunshine/pull/2365",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2365"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e"
}
],
"source": {
"advisory": "GHSA-v8gw-jw28-v55m",
"discovery": "UNKNOWN"
},
"title": "Clients removed during unpairing process may regain access if Sunshine was not restarted"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31221",
"datePublished": "2024-04-08T15:10:17.071Z",
"dateReserved": "2024-03-29T14:16:31.901Z",
"dateUpdated": "2024-09-03T18:00:09.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10199 (GCVE-0-2025-10199)
Vulnerability from cvelistv5
Published
2025-09-09 17:30
Modified
2025-09-10 13:43
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine for Windows |
Version: v2025.122.141614 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:16:49.041628Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-428",
"description": "CWE-428 Unquoted Search Path or Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T13:43:59.075Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine for Windows",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "v2025.122.141614"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-428: Unquoted Search Path or Element",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:30:50.158Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "A local privilege escalation vulnerability exists in LizardBytes\u0027 Sunshine for Windows",
"x_generator": {
"engine": "VINCE 3.0.24",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-10199"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-10199",
"datePublished": "2025-09-09T17:30:19.958Z",
"dateReserved": "2025-09-09T17:28:39.083Z",
"dateUpdated": "2025-09-10T13:43:59.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-53095 (GCVE-0-2025-53095)
Vulnerability from cvelistv5
Published
2025-07-01 01:33
Modified
2025-07-01 13:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/LizardByte/Sunshine/security/advisories/GHSA-39hj-fxvw-758m | x_refsource_CONFIRM | |
| https://github.com/LizardByte/Sunshine/commit/738ac93a0ec1cd10412d1f339968775f53bfefe0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine |
Version: < 2025.628.4510 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-01T13:21:05.692690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T13:21:15.143Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.628.4510"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the \"Command Preparations\" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-01T01:33:22.331Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-39hj-fxvw-758m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-39hj-fxvw-758m"
},
{
"name": "https://github.com/LizardByte/Sunshine/commit/738ac93a0ec1cd10412d1f339968775f53bfefe0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LizardByte/Sunshine/commit/738ac93a0ec1cd10412d1f339968775f53bfefe0"
}
],
"source": {
"advisory": "GHSA-39hj-fxvw-758m",
"discovery": "UNKNOWN"
},
"title": "Sunshine application-wide CSRF in the UI leads to command injection as Administrator"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53095",
"datePublished": "2025-07-01T01:33:22.331Z",
"dateReserved": "2025-06-25T13:41:23.086Z",
"dateUpdated": "2025-07-01T13:21:15.143Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10198 (GCVE-0-2025-10198)
Vulnerability from cvelistv5
Published
2025-09-09 17:28
Modified
2025-09-10 13:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LizardByte | Sunshine for Windows |
Version: v2025.122.141614 |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-10198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T13:17:00.097504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-10T13:44:06.419Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Sunshine for Windows",
"vendor": "LizardByte",
"versions": [
{
"status": "affected",
"version": "v2025.122.141614"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T17:28:14.696Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://github.com/LizardByte/Sunshine/pull/3971"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "LizardBytes Sunshine for Windows contains a DLL search-order hijacking vulnerability",
"x_generator": {
"engine": "VINCE 3.0.24",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2025-10198"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2025-10198",
"datePublished": "2025-09-09T17:28:14.696Z",
"dateReserved": "2025-09-09T17:25:14.481Z",
"dateUpdated": "2025-09-10T13:44:06.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2024-04-08 15:15
Modified
2025-09-11 21:41
Severity ?
Summary
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lizardbyte | sunshine | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C4B46EB4-E7D7-4700-90B0-99FD69779A61",
"versionEndExcluding": "0.23.0",
"versionStartIncluding": "0.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability."
},
{
"lang": "es",
"value": "Sunshine es un anfitri\u00f3n de transmisi\u00f3n de juegos autohospedado para Moonlight. A partir de la versi\u00f3n 0.10.0 y antes de la versi\u00f3n 0.23.0, despu\u00e9s de desvincular todos los dispositivos en la interfaz de usuario web y luego vincular solo un dispositivo, todos los dispositivos anteriores se vincular\u00e1n temporalmente. La versi\u00f3n 0.23.0 contiene un parche para el problema. Como workaround, reiniciar Sunshine despu\u00e9s de desvincular todos los dispositivos previene la vulnerabilidad."
}
],
"id": "CVE-2024-31221",
"lastModified": "2025-09-11T21:41:40.740",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-04-08T15:15:08.207",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/LizardByte/Sunshine/issues/2305"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2365"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/commit/b7aa8119f1471844dccdf73a8b6f7efc9baddb5e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/LizardByte/Sunshine/issues/2305"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2365"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-v8gw-jw28-v55m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-07-01 02:15
Modified
2025-08-22 14:28
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L
Summary
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lizardbyte | sunshine | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F352940D-F1FD-4E7F-9A01-0A4FF21CFF67",
"versionEndExcluding": "2025.628.4510",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510."
},
{
"lang": "es",
"value": "Sunshine es un servidor de streaming de juegos autoalojado para Moonlight. Antes de la versi\u00f3n 2025.628.4510, la interfaz web de Sunshine carec\u00eda de protecci\u00f3n contra ataques de clickjacking. Esta vulnerabilidad permite a un atacante integrar la interfaz de Sunshine en un sitio web malicioso mediante un iframe invisible o camuflado. Si se enga\u00f1a a un usuario para que interact\u00fae (uno o varios clics) con la p\u00e1gina maliciosa mientras est\u00e1 autenticado, podr\u00eda realizar acciones dentro de la aplicaci\u00f3n Sunshine sin su consentimiento. Este problema se ha corregido en la versi\u00f3n 2025.628.4510."
}
],
"id": "CVE-2025-53096",
"lastModified": "2025-08-22T14:28:45.230",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-07-01T02:15:22.717",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/commit/2f27a57d01911436017f87bf08b9e36dcfaa86cc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-x97g-h2vp-g2c5"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1021"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-05 15:15
Modified
2025-09-11 21:41
Severity ?
Summary
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the `node_modules` endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lizardbyte | sunshine | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*",
"matchCriteriaId": "99046982-5CD7-4486-BFDE-E57C607F05DB",
"versionEndExcluding": "0.18.0",
"versionStartIncluding": "0.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit vulnerability, attacker could make an http/s request to the `node_modules` endpoint if user exposed Sunshine config web server to internet or attacker is on the LAN. Version 0.18.0 contains a patch for this issue. As a workaround, one may block access to Sunshine via firewall."
},
{
"lang": "es",
"value": "Sunshine es un anfitri\u00f3n de transmisi\u00f3n de juegos autohospedado para Moonlight. A partir de la versi\u00f3n 0.16.0 y anteriores a la versi\u00f3n 0.18.0, un atacante puede leer de forma remota archivos arbitrarios sin autenticaci\u00f3n debido a una vulnerabilidad de path traversal. Los usuarios que expusieron la interfaz de usuario web de configuraci\u00f3n de Sunshine fuera de localhost pueden verse afectados, dependiendo de la configuraci\u00f3n del firewall. Para explotar la vulnerabilidad, el atacante podr\u00eda realizar una solicitud http/s al endpoint `node_modules` si el usuario expuso el servidor web de configuraci\u00f3n Sunshine a Internet o el atacante est\u00e1 en la LAN. La versi\u00f3n 0.18.0 contiene un parche para este problema. Como workaround, se puede bloquear el acceso a Sunshine mediante un firewall."
}
],
"id": "CVE-2024-31220",
"lastModified": "2025-09-11T21:41:57.923",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2024-04-05T15:15:08.060",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/LizardByte/Sunshine/releases/tag/v0.18.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-6rg7-7m3w-w5wc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-01-20 16:15
Modified
2025-09-11 21:33
Severity ?
Summary
Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lizardbyte | sunshine | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6CCACC5-BB09-47AF-ADD4-7E2D267B4CDB",
"versionEndExcluding": "2025.118.151840",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine\u0027s pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing attempt. This bug may also be used by a remote attacker to crash Sunshine. This vulnerability is fixed in 2025.118.151840."
},
{
"lang": "es",
"value": "Sunshine es un servidor de transmisi\u00f3n de juegos autoalojado para Moonlight. En la versi\u00f3n 0.23.1 y anteriores, la implementaci\u00f3n del protocolo de emparejamiento de Sunshine no valida el orden de las solicitudes y, por lo tanto, es vulnerable a un ataque MITM, lo que potencialmente permite que un atacante no autenticado empareje un cliente secuestrando un intento de emparejamiento leg\u00edtimo. Un atacante remoto tambi\u00e9n puede usar este error para bloquear Sunshine. Esta vulnerabilidad se corrigi\u00f3 en 2025.118.151840."
}
],
"id": "CVE-2024-51738",
"lastModified": "2025-09-11T21:33:04.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-01-20T16:15:27.667",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/commit/89f097ae65277d42b5d40163d09d92e412e6d7dd"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-3hrw-xv8h-9499"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-305"
},
{
"lang": "en",
"value": "CWE-476"
},
{
"lang": "en",
"value": "CWE-841"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-07-01 02:15
Modified
2025-08-22 13:44
Severity ?
9.6 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lizardbyte | sunshine | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F352940D-F1FD-4E7F-9A01-0A4FF21CFF67",
"versionEndExcluding": "2025.628.4510",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the \"Command Preparations\" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510."
},
{
"lang": "es",
"value": "Sunshine es un servidor de streaming de juegos autoalojado para Moonlight. Antes de la versi\u00f3n 2025.628.4510, la interfaz web de Sunshine carec\u00eda de protecci\u00f3n contra ataques de Cross-Site Request Forgery (CSRF). Esta vulnerabilidad permite a un atacante crear una p\u00e1gina web maliciosa que, al ser visitada por un usuario autenticado, puede desencadenar acciones no deseadas dentro de la aplicaci\u00f3n Sunshine en nombre de dicho usuario. En concreto, dado que la aplicaci\u00f3n ejecuta comandos del sistema operativo por dise\u00f1o, este problema puede explotarse para abusar de la funci\u00f3n \"Preparaci\u00f3n de comandos\", lo que permite a un atacante inyectar comandos arbitrarios que se ejecutar\u00e1n con privilegios de administrador al iniciar una aplicaci\u00f3n. Este problema se ha corregido en la versi\u00f3n 2025.628.4510."
}
],
"id": "CVE-2025-53095",
"lastModified": "2025-08-22T13:44:40.643",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-07-01T02:15:22.563",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/commit/738ac93a0ec1cd10412d1f339968775f53bfefe0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-39hj-fxvw-758m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-09-10 16:15
Modified
2024-09-20 16:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Summary
Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lizardbyte | sunshine | 2024-05-27 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lizardbyte:sunshine:2024-05-27:*:*:*:*:*:*:*",
"matchCriteriaId": "46E8774B-25EA-446B-9C16-15477623922E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but the certificate from the forged pairing attempt is incorrectly persisted prior to the completion of the pairing request. This allows access to the certificate belonging to the attacker."
},
{
"lang": "es",
"value": "Sunshine es un servidor de transmisi\u00f3n de juegos autoalojado para Moonlight. Los clientes que experimentan un ataque MITM durante el proceso de emparejamiento pueden permitir el acceso inadvertidamente a un cliente no deseado en lugar de fallar la autenticaci\u00f3n debido a un error de validaci\u00f3n de PIN. El intento de emparejamiento falla debido al PIN incorrecto, pero el certificado del intento de emparejamiento falsificado se conserva incorrectamente antes de que se complete la solicitud de emparejamiento. Esto permite el acceso al certificado que pertenece al atacante."
}
],
"id": "CVE-2024-45407",
"lastModified": "2024-09-20T16:18:46.717",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-09-10T16:15:20.617",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/commit/5fcd07ecb1428bfe245ad6fa349aead476c7e772"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/commit/fd7e68457a134102d1b30af5796c79f2aa623224"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-jqph-8cp5-g874"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-300"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-05-16 19:15
Modified
2025-09-11 21:41
Severity ?
4.9 (Medium) - CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H
2.9 (Low) - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
2.9 (Low) - CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N
Summary
Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lizardbyte | sunshine | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FB5B816-6AB8-4D92-87B6-3D65DCC9AE61",
"versionEndExcluding": "0.23.0",
"versionStartIncluding": "0.17.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\\Program.exe`, `C:\\Program.bat`, or `C:\\Program.cmd` on the user\u0027s computer. This attack vector isn\u0027t exploitable unless the user has manually loosened ACLs on the system drive. If the user\u0027s system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories."
},
{
"lang": "es",
"value": "Sunshine es un anfitri\u00f3n de transmisi\u00f3n de juegos autohospedado para Moonlight. Los usuarios que ejecutaron las versiones de Sunshine 0.17.0 a 0.22.2 como servicio en Windows pueden verse afectados al finalizar el servicio si un ataque coloc\u00f3 un archivo llamado `C:\\Program.exe`, `C:\\Program.bat` o `C:\\Program.cmd` en la computadora del usuario. Este vector de ataque no es explotable a menos que el usuario haya aflojado manualmente las ACL en la unidad del sistema. Si la configuraci\u00f3n regional del sistema del usuario no es ingl\u00e9s, es probable que el nombre del ejecutable var\u00ede. La versi\u00f3n 0.23.0 contiene un parche para el problema. Algunas soluciones est\u00e1n disponibles. Se pueden identificar y bloquear la intercepci\u00f3n de rutas ejecutadas de software potencialmente malicioso mediante el uso de herramientas de control de aplicaciones, como el control de aplicaciones de Windows Defender, AppLocker o las pol\u00edticas de restricci\u00f3n de software, cuando corresponda. Alternativamente, aseg\u00farese de que los permisos y el control de acceso al directorio adecuados est\u00e9n configurados para negar a los usuarios la capacidad de escribir archivos en el directorio de nivel superior `C:`. Requiere que todos los ejecutables se coloquen en directorios protegidos contra escritura."
}
],
"id": "CVE-2024-31226",
"lastModified": "2025-09-11T21:41:19.813",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 0.1,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 0.3,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-05-16T19:15:49.560",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2379"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch"
],
"url": "https://github.com/LizardByte/Sunshine/pull/2379"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-428"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-09 18:15
Modified
2025-09-17 20:07
Severity ?
Summary
Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | https://github.com/LizardByte/Sunshine/pull/3971 | Issue Tracking |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lizardbyte | sunshine | 2025.122.141614 | |
| microsoft | windows | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lizardbyte:sunshine:2025.122.141614:*:*:*:*:*:*:*",
"matchCriteriaId": "C58C4B17-55BC-459A-8B83-41201ED61522",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories."
}
],
"id": "CVE-2025-10198",
"lastModified": "2025-09-17T20:07:14.790",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-09-09T18:15:31.743",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/LizardByte/Sunshine/pull/3971"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-427"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-09-09 18:15
Modified
2025-09-17 20:03
Severity ?
Summary
A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp | Not Applicable |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| lizardbyte | sunshine | 2025.122.141614 | |
| microsoft | windows | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:lizardbyte:sunshine:2025.122.141614:*:*:*:*:*:*:*",
"matchCriteriaId": "C58C4B17-55BC-459A-8B83-41201ED61522",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path."
}
],
"id": "CVE-2025-10199",
"lastModified": "2025-09-17T20:03:57.270",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-09-09T18:15:32.737",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Not Applicable"
],
"url": "https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-428"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}