Login Sign Up

CVE-2024-41799

8.4 HIGH
Remote Code Execution Path Traversal

📋 TL;DR

This vulnerability in tgstation-server allows low-permission users with 'Set .dme Path' privilege to potentially execute malicious .dme files, which could lead to remote code execution when combined with other configuration weaknesses. It affects tgstation-server installations prior to version 6.8.0. The attack requires multiple privileges but bypasses some intended security controls.

💻 Affected Systems

Products:
  • tgstation-server
Versions: All versions prior to 6.8.0
Operating Systems: All platforms running tgstation-server
Default Config Vulnerable: ✅ No
Notes: Requires specific privilege assignments and BYOND trusted security level configuration to be fully exploitable.

📦 What is this software?

Tgstation Server by Tgstation13

View all CVEs affecting Tgstation Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on the host server through BYOND's shell() procedure, potentially leading to full system compromise.

🟠

Likely Case

Privilege escalation within tgstation-server allowing unauthorized code execution in BYOND game servers.

🟢

If Mitigated

Limited to setting .dme paths without execution capability if proper security levels are configured.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated low-privilege user with 'Set .dme Path' privilege, plus additional configuration weaknesses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.8.0 and above

Vendor Advisory: https://github.com/tgstation/tgstation-server/security/advisories/GHSA-c3h4-9gc2-f7h4

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Update tgstation-server to version 6.8.0 or later. 3. Restart the tgstation-server service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Remove 'Set .dme Path' privilege from low-permission users

all

Restrict the 'Set .dme Path' privilege to only trusted administrators

Disable BYOND trusted security level

all

Configure BYOND to run in untrusted mode to prevent shell() execution

🧯 If You Can't Patch

  • Review and restrict user privileges, especially 'Set .dme Path' and deployment code source control
  • Implement strict file upload controls and monitor for malicious .dme file uploads

🔍 How to Verify

Check if Vulnerable:

Check tgstation-server version and verify it's below 6.8.0

Check Version:

tgs --version or check server configuration/interface

Verify Fix Applied:

Confirm tgstation-server version is 6.8.0 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized .dme file path changes
  • Unexpected .dme compilation attempts
  • Shell command execution in BYOND logs

Network Indicators:

  • Unusual outbound connections from BYOND server process

SIEM Query:

Process execution from BYOND with suspicious command-line arguments

📊 Metadata

CVE ID: CVE-2024-41799
CVSS v3 Score: 8.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H
CWE: CWE-22
Published: July 29, 2024
Last Updated: August 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41799, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)