CVE-2024-31220

Name of the Vulnerable Software and Affected Versions Sunshine versions 0.16.0 through 0.17.x

Description Sunshine is a self-hosted game stream host for Moonlight. An attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface outside of localhost may be affected, depending on firewall configuration. To exploit the issue, an attacker could make an http/s request to the node modules endpoint if the user exposed the Sunshine config web server to the internet or the attacker is on the LAN.

Recommendations For versions 0.16.0 through 0.17.x, update to version 0.18.0 to resolve the issue. As a temporary workaround, consider blocking access to Sunshine via firewall to minimize the risk of exploitation.