CVE-2024-29887 – This vulnerability allows man-in-the-middle att... (How to Fix)

📋 TL;DR

This vulnerability allows man-in-the-middle attacks against Serverpod's non-web HTTP clients by bypassing TLS certificate validation. Attackers can intercept and hijack encrypted traffic between client devices and servers. All users of the serverpod_client package before version 1.2.6 are affected.

💻 Affected Systems

Products:

serverpod_client package

Versions: All versions before 1.2.6

Operating Systems: All platforms using Serverpod

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects non-web HTTP clients in the serverpod_client package. Web clients are not vulnerable.

📦 What is this software?

Serverpod by Serverpod

View all CVEs affecting Serverpod →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept sensitive data (authentication tokens, personal information, business data) transmitted between clients and servers, potentially leading to data breaches, account compromise, or service disruption.

🟠

Likely Case

Interception of session tokens or API credentials leading to unauthorized access to backend systems and data exfiltration.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to potential data leakage from intercepted sessions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires ability to intercept network traffic (e.g., compromised network, rogue access point). No authentication needed to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.6

Vendor Advisory: https://github.com/serverpod/serverpod/security/advisories/GHSA-h6x7-r5rg-x5fw

Restart Required: Yes

Instructions:

1. Update pubspec.yaml to require serverpod_client ^1.2.6
2. Run 'flutter pub get' or 'dart pub get'
3. Rebuild and redeploy client applications
4. Restart affected services

🔧 Temporary Workarounds

Network segmentation and monitoring

all

Isolate Serverpod traffic to trusted networks and monitor for unusual certificate validation failures

🧯 If You Can't Patch

Restrict Serverpod client connections to internal/VPN networks only
Implement certificate pinning at application layer if supported

🔍 How to Verify

Check if Vulnerable:

Check pubspec.lock or package version for serverpod_client <1.2.6

Check Version:

grep serverpod_client pubspec.lock

Verify Fix Applied:

Confirm serverpod_client version is 1.2.6 or higher in dependencies

📡 Detection & Monitoring

Log Indicators:

Unexpected certificate validation failures
Connection resets during TLS handshake

Network Indicators:

Unusual TLS negotiation patterns
MITM attack signatures in network traffic

SIEM Query:

source="serverpod" AND (event="certificate_validation_failed" OR event="tls_handshake_error")

📊 Metadata

CVE ID: CVE-2024-29887

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-295

Published: March 27, 2024

Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-29887, you might also want to check these: