CVE-2024-57610

HIGH

Sylius v2.0.2 - Unrestricted Brute-Force Attack via Missing Rate Limiting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-57610. PoCs published by Mr-UN533N, str4ng3r-0x7.

AI-analyzed exploit summary The repository lacks actual exploit code and instead provides vague steps to reproduce a rate-limiting issue, along with external links to a video and image. No technical details or code are included.

Description

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use "firewalls, rate-limiting middleware, or authentication providers" for that functionality.

Exploits (2)

nomisec SUSPICIOUS
by Mr-UN533N · poc
https://github.com/Mr-UN533N/CVE-2024-57610

The repository lacks actual exploit code and instead provides vague steps to reproduce a rate-limiting issue, along with external links to a video and image. No technical details or code are included.

Classification
Suspicious 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Theoretical
Target: Sylius v2.0.2
No auth needed
Prerequisites: access to the login endpoint
devstral-2 · analyzed Mar 15, 2026 Full analysis →
nomisec WRITEUP
by str4ng3r-0x7 · poc
https://github.com/str4ng3r-0x7/CVE-2024-57610

This repository describes a lack of rate limiting in Sylius v2.0.2, allowing unrestricted login attempts. The PoC involves automated login requests without any rate-limiting restrictions.

Classification
Writeup 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Sylius v2.0.2
No auth needed
Prerequisites: Access to the login endpoint of a Sylius instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory
https://github.com/nca785/CVE-2024-57610

Scores

CVSS v3 7.5
EPSS 0.0977
EPSS Percentile 93.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-307
Status published
Products (2)
sylius/sylius 2.0.2
sylius/sylius 0Packagist
Published Feb 06, 2025
Tracked Since Feb 18, 2026