CVE-2024-55073 – A Broken Object Level Authorization vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-55073?

CVE-2024-55073 has a CVSS score of 7.6 (HIGH). A Broken Object Level Authorization vulnerability in Mealie v2.2.0 allows authenticated users to modify their own profile to escalate privileges or change household assignments. This affects all Mealie instances running the vulnerable version where users have access to their profile endpoint.

📋 TL;DR

A Broken Object Level Authorization vulnerability in Mealie v2.2.0 allows authenticated users to modify their own profile to escalate privileges or change household assignments. This affects all Mealie instances running the vulnerable version where users have access to their profile endpoint.

💻 Affected Systems

Products:

hay-kot mealie

Versions: v2.2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Mealie v2.2.0 are vulnerable by default. The vulnerability requires authenticated access.

📦 What is this software?

Mealie by Mealie

View all CVEs affecting Mealie →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative privileges, potentially compromising all recipe data, user accounts, and system configuration.

🟠

Likely Case

Users escalate their privileges to gain unauthorized access to other users' recipes or administrative functions.

🟢

If Mitigated

Proper authorization checks prevent unauthorized privilege escalation, limiting users to their intended permissions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of the API endpoint. The vulnerability is documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.2.1 or later

Vendor Advisory: https://github.com/mealie-recipes/mealie/issues/4593

Restart Required: No

Instructions:

1. Update Mealie to version 2.2.1 or later. 2. Verify the update completed successfully. 3. Test that users can no longer modify permissions via the profile endpoint.

🔧 Temporary Workarounds

Disable user profile modifications

all

Temporarily restrict access to the /api/users/{user-id} endpoint to prevent exploitation.

Configure web server (nginx/apache) to block PUT/PATCH requests to /api/users/*

🧯 If You Can't Patch

Implement network segmentation to isolate Mealie instance from sensitive systems
Enable detailed logging of all user profile modification attempts for monitoring

🔍 How to Verify

Check if Vulnerable:

Check if running Mealie version 2.2.0. Attempt to modify user permissions via the /api/users/{user-id} endpoint as a non-admin user.

Check Version:

Check Mealie web interface settings or container image tag

Verify Fix Applied:

After updating, verify the version is 2.2.1+. Attempt the same privilege escalation and confirm it fails.

📡 Detection & Monitoring

Log Indicators:

Unusual PUT/PATCH requests to /api/users/ endpoints
User permission changes from non-admin accounts

Network Indicators:

HTTP 200 responses to user permission modification requests from non-admin users

SIEM Query:

source="mealie" AND (uri_path="/api/users/*" AND http_method IN ("PUT", "PATCH")) AND user_role!="admin"

📊 Metadata

CVE ID: CVE-2024-55073

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

CWE: CWE-862

EPSS Score: 0.22% exploit probability (44th percentile)

Published: March 27, 2025

Last Updated: April 11, 2025

🔗 References

https://github.com/mealie-recipes/mealie/issues/4593 Issue Tracking
https://m10x.de/posts/2025/03/all-your-recipe-are-belong-to-us-part-3/3-broken-access-controls-leading-to-privilege-escalation-and-more-in-mealie/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-55073, you might also want to check these: