HIGHCVE-2024-31220CVSS 7.3

CVE-2024-31220: Arbitrary File Access in Sunshine

Q: What is CVE-2024-31220 — Arbitrary File Access in Sunshine?

CVE-2024-31220 is a HIGH severity vulnerability in Sunshine versions 0.16.0 through 0.17.9 that allows an attacker to read arbitrary files without authentication if the web UI is exposed.

Q: Am I affected by CVE-2024-31220 in Sunshine?

You are affected if you are running Sunshine versions 0.16.0 through 0.17.9 and the configuration web user interface is accessible from outside localhost.

Q: How do I fix CVE-2024-31220 in Sunshine?

Upgrade Sunshine to version 0.18.0. If upgrading is not possible, restrict access to the web UI to localhost and implement strict firewall rules.

Q: Where can I find the official Sunshine advisory for CVE-2024-31220?

Refer to the Sunshine project's official website and GitHub repository for the latest advisory and security updates.

Platform

other

Component

sunshine

Fixed in

0.16.1

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026

View on NVD

Save

CVE-2024-31220 describes an Arbitrary File Access vulnerability discovered in Sunshine, a self-hosted game stream host for Moonlight. This vulnerability allows an attacker to remotely read arbitrary files without authentication. It affects versions 0.16.0 through 0.17.9, and a patch is available in version 0.18.0.

Impact and Attack Scenarios

Successful exploitation of CVE-2024-31220 allows an attacker to read sensitive files from the server hosting Sunshine. This could include configuration files, source code, or other data that could be used to compromise the system or gain further access. The vulnerability is triggered by an HTTP/S request to the node_modules endpoint, making it particularly concerning if the Sunshine configuration web user interface is exposed outside of localhost, regardless of firewall configuration. The ability to read arbitrary files represents a significant data breach risk and could lead to further exploitation of the system.

Exploitation Context

CVE-2024-31220 was publicly disclosed on April 5, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The vulnerability's reliance on exposing the Sunshine configuration web UI limits its potential impact, but misconfigured deployments remain at risk. No KEV listing is currently available.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.18% (40% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentsunshine

VendorLizardByte

Affected rangeFixed in

>= 0.16.0, < 0.18.0 – >= 0.16.0, < 0.18.00.16.1

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2024-03-29
Published2024-04-05
Modified2024-08-02
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-31220 is to upgrade Sunshine to version 0.18.0, which includes a patch for this vulnerability. If upgrading is not immediately feasible, restrict access to the Sunshine configuration web user interface to localhost only. Implement strict firewall rules to prevent external access to the nodemodules endpoint. Consider using a Web Application Firewall (WAF) to filter requests and block malicious attempts to access arbitrary files. After upgrading, confirm the vulnerability is resolved by attempting to access the nodemodules endpoint and verifying that access is denied.

How to fix

Actualice Sunshine a la versión 0.18.0 o posterior. Como alternativa, bloquee el acceso a Sunshine a través de un firewall para evitar el acceso no autorizado a la interfaz web de configuración.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-31220 — Arbitrary File Access in Sunshine?

CVE-2024-31220 is a HIGH severity vulnerability in Sunshine versions 0.16.0 through 0.17.9 that allows an attacker to read arbitrary files without authentication if the web UI is exposed.

Am I affected by CVE-2024-31220 in Sunshine?

You are affected if you are running Sunshine versions 0.16.0 through 0.17.9 and the configuration web user interface is accessible from outside localhost.

How do I fix CVE-2024-31220 in Sunshine?

Upgrade Sunshine to version 0.18.0. If upgrading is not possible, restrict access to the web UI to localhost and implement strict firewall rules.

Is CVE-2024-31220 being actively exploited?

There is currently no indication of active exploitation campaigns targeting CVE-2024-31220.

Where can I find the official Sunshine advisory for CVE-2024-31220?

Refer to the Sunshine project's official website and GitHub repository for the latest advisory and security updates.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: Low — partial or indirect data access. Attacker gains limited information.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: Low — partial or intermittent denial of service. Attacker can degrade performance.