Platform
windows
Component
vrcx
Fixed in
2023.12.24
CVE-2024-42366 describes a critical Remote Code Execution (RCE) vulnerability discovered in VRCX, an assistant application for VRChat. This flaw allows attackers to potentially execute arbitrary commands on vulnerable systems by exploiting a misconfigured CefSharp browser and cross-site scripting via overlay notifications. The vulnerability affects VRCX versions prior to 2024.03.23, and a patch is available in version 2023.12.24, alongside API-side blocking of older versions.
The impact of CVE-2024-42366 is severe. A successful exploit allows an attacker to achieve remote code execution on a user's machine running a vulnerable version of VRCX. This could lead to complete system compromise, including data theft, malware installation, and further lateral movement within the network. The combination of CefSharp's over-permissions and the ability to inject cross-site scripting payloads creates a potent attack vector. While the VRC team has implemented API-side blocking to prevent older versions from functioning, users who haven't updated are still at risk if they somehow manage to run the outdated application.
CVE-2024-42366 was publicly disclosed on August 8, 2024. The vulnerability's severity is classified as CRITICAL (CVSS 9.1). Public proof-of-concept exploits are not yet widely available, but the combination of over-permissions and XSS makes exploitation likely. It is not currently listed on CISA KEV, but its critical severity warrants monitoring. Active campaigns are not currently confirmed, but the ease of exploitation could lead to opportunistic attacks.
Exploit Status
EPSS
2.68% (86% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-42366 is to immediately upgrade VRCX to version 2023.12.24 or later. The VRC team has also implemented API-side blocking to prevent older versions from connecting, which provides an additional layer of protection. If upgrading is temporarily impossible, consider isolating vulnerable systems from external networks to limit potential attack vectors. While a WAF or proxy cannot directly address this vulnerability, it can help mitigate the risk of cross-site scripting attacks. After upgrading, confirm the fix by verifying the VRCX version and attempting to access VRChat to ensure the API-side blocking is functioning as expected.
Update VRCX to version 2023.12.24 or later. The update corrects cross-site scripting and over-permission vulnerabilities that allow remote command execution (Remote Command Execution). If you are using an older version, you must update to continue using VRCX.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-42366 is a critical RCE vulnerability in VRCX, an assistant application for VRChat, allowing attackers to execute commands via a misconfigured CefSharp browser and XSS.
You are affected if you are using VRCX versions prior to 2023.12.24. Ensure you upgrade immediately to mitigate the risk.
Upgrade VRCX to version 2023.12.24 or later. Also, ensure the VRC API-side blocking is active to prevent older versions from connecting.
While active exploitation is not currently confirmed, the vulnerability's severity and ease of exploitation suggest it could become a target for opportunistic attacks.
Refer to the official VRChat security advisory for details and updates: [https://www.vrchat.com/security/](https://www.vrchat.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.