CVE-2024-31220 Overview
CVE-2024-31220 is a path traversal vulnerability [CWE-22] in LizardByte Sunshine, a self-hosted game stream host for Moonlight. The flaw affects Sunshine versions 0.16.0 through versions prior to 0.18.0. An unauthenticated remote attacker can read arbitrary files on the host by sending crafted HTTP/HTTPS requests to the node_modules endpoint of the configuration web interface. Exposure depends on firewall configuration and whether the Sunshine configuration UI is reachable beyond localhost. Version 0.18.0 contains the patch.
Critical Impact
Unauthenticated attackers on the LAN or internet can read arbitrary files from the Sunshine host without credentials, exposing configuration, secrets, and user data.
Affected Products
- LizardByte Sunshine 0.16.0 through 0.17.x
- Sunshine configuration web user interface exposed beyond localhost
- Hosts running affected Sunshine versions on Windows, Linux, or macOS
Discovery Timeline
- 2024-04-05 - CVE-2024-31220 published to NVD
- 2025-09-11 - Last updated in NVD database
Technical Details for CVE-2024-31220
Vulnerability Analysis
The vulnerability is a classic path traversal flaw [CWE-22] in the Sunshine configuration web server. The node_modules endpoint fails to properly sanitize and canonicalize user-supplied path components before serving file contents. An attacker can include traversal sequences such as ../ in the request path to escape the intended static asset directory and reach arbitrary files on the underlying filesystem.
Because the configuration web server does not require authentication for the affected endpoint, exploitation requires only network reachability. The attack can be carried out from the local network or from the internet when administrators expose the UI through port forwarding or open firewall rules.
The disclosed file contents are limited by the privileges of the Sunshine process, but the service often runs with sufficient rights to expose configuration files, API tokens, and operating system data.
Root Cause
The root cause is insufficient input validation on the file path supplied to the node_modules static handler. The handler resolves the requested path relative to the asset root without rejecting traversal sequences or verifying that the resolved path remains within the intended directory tree.
Attack Vector
Exploitation requires a single unauthenticated HTTP or HTTPS request to the Sunshine configuration interface. The attacker issues a GET request to the node_modules endpoint containing directory traversal sequences targeting files outside the static asset directory. The server returns the requested file contents in the HTTP response.
No user interaction, credentials, or prior foothold are required when the configuration UI is reachable. See the GitHub Security Advisory GHSA-6rg7-7m3w-w5wc for vendor-confirmed exploitation conditions.
Detection Methods for CVE-2024-31220
Indicators of Compromise
- HTTP/HTTPS requests to the Sunshine configuration web server containing node_modules in combination with ../ or URL-encoded %2e%2e%2f sequences.
- Outbound responses from the Sunshine host returning non-static file contents such as passwd, shadow, .env, or Sunshine configuration files.
- Unexpected access to the Sunshine configuration port (default 47990) from non-localhost source addresses.
Detection Strategies
- Inspect web server and reverse proxy access logs for requests targeting the node_modules path that include traversal patterns or unusual file extensions.
- Correlate inbound LAN or WAN traffic to Sunshine listening ports with the host's outbound response sizes to identify file exfiltration.
- Compare installed Sunshine version against 0.18.0 across managed endpoints to identify vulnerable hosts.
Monitoring Recommendations
- Enable verbose HTTP request logging on Sunshine hosts and forward logs to a central SIEM for traversal-pattern matching.
- Alert on any source address outside the management subnet that connects to the Sunshine configuration interface.
- Monitor for new firewall or NAT rules that expose Sunshine ports to untrusted networks.
How to Mitigate CVE-2024-31220
Immediate Actions Required
- Upgrade Sunshine to version 0.18.0 or later on all hosts immediately.
- Restrict access to the Sunshine configuration web interface so it binds to or is reachable only from localhost.
- Remove any port-forwarding or NAT rules that expose Sunshine to the internet until patching is complete.
- Rotate any credentials, tokens, or keys that may have been stored on disk on exposed hosts.
Patch Information
The vendor released a fix in Sunshine v0.18.0. Administrators should download the official release and verify the installed version after upgrade. Vendor remediation guidance is documented in the GitHub Security Advisory GHSA-6rg7-7m3w-w5wc.
Workarounds
- Block inbound access to Sunshine configuration ports at the host or perimeter firewall, allowing only trusted management addresses.
- Place the Sunshine host on an isolated VLAN that is not routable from untrusted LAN segments or the internet.
- Use an authenticated reverse proxy or VPN to gate access to the configuration UI until the patch is applied.
# Configuration example: restrict Sunshine config UI to localhost using iptables
sudo iptables -A INPUT -p tcp --dport 47990 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 47990 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
