CVE-2024-48322
📋 TL;DR
CVE-2024-48322 is a race condition vulnerability in the password reset functionality of Run.codes that allows attackers to bypass authentication. By exploiting timing issues during password reset requests, attackers can gain unauthorized access to user accounts. This affects all Run.codes installations running version 1.5.2 or older.
💻 Affected Systems
- Run.codes
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover leading to unauthorized access to sensitive user data, privilege escalation, and potential compromise of the entire Run.codes platform.
Likely Case
Unauthorized access to individual user accounts, allowing attackers to view private data, modify submissions, or impersonate legitimate users.
If Mitigated
Minimal impact with proper rate limiting, request validation, and monitoring in place to detect suspicious password reset patterns.
🎯 Exploit Status
Exploitation requires precise timing but tools can automate the race condition. Public proof-of-concept exists on GitHub.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.5.3
Vendor Advisory: https://github.com/runcodes-icmc/server/releases/tag/v1.5.3
Restart Required: Yes
Instructions:
1. Backup current installation. 2. Download v1.5.3 from GitHub releases. 3. Replace affected files, especially UsersController.php. 4. Restart web server. 5. Verify fix by testing password reset functionality.
🔧 Temporary Workarounds
Rate Limit Password Reset Requests
linuxImplement strict rate limiting on password reset endpoints to prevent rapid concurrent requests.
# Configure web server rate limiting (nginx example)
limit_req_zone $binary_remote_addr zone=reset:10m rate=1r/s;
location /password-reset { limit_req zone=reset burst=5; }
Disable Password Reset Functionality
allTemporarily disable password reset feature until patching is possible.
# Comment out or remove password reset routes in your web application configuration
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block suspicious password reset patterns
- Enable detailed logging for all password reset attempts and monitor for unusual activity
🔍 How to Verify
Check if Vulnerable:
Check if UsersController.php contains the vulnerable password reset logic from versions 1.5.2 or older. Review code for race condition in reset token handling.Check Version:
Check the version file or configuration: cat VERSION or grep 'version' config/*.phpVerify Fix Applied:
Test password reset functionality with concurrent requests to ensure tokens cannot be reused or bypassed. Verify UsersController.php has been updated to v1.5.3.📡 Detection & Monitoring
Log Indicators:
- Multiple password reset requests for same user within short timeframes
- Successful password resets without corresponding email verification
- Unusual IP addresses accessing password reset endpoints
Network Indicators:
- High volume of POST requests to /password-reset endpoints
- Rapid sequential requests with similar parameters
SIEM Query:
source="web_logs" AND (url_path="/password-reset" OR url_path="/reset-password") | stats count by src_ip, user_agent, user_id | where count > 5