CVE-2024-55963
published 2025-03-26CVE-2024-55963: An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the restart API on Appsmith, causing a…
PriorityP276medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
27.73%
97.8th percentile
An issue was discovered in Appsmith before 1.51. A user on Appsmith that doesn't have admin permissions can trigger the restart API on Appsmith, causing a server restart. This is still within the Appsmith container, and the impact is limited to Appsmith's own server only, but there is a denial of service because it can be continually restarted. This is due to incorrect access control checks, which should check for super user permissions on the incoming request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| appsmith | appsmith | < 1.51 | 1.51 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v1/datasources/schema-preview
commandCOPY FROM PROGRAM
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AppSmith PostgreSQL Command Injection Attempt (CVE-2024-55963)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/datasources"; startswith; content:"/schema-preview"; endswith; http.header; header_lowercase; content:"x-requested-by|3a 20|appsmith"; fast_pattern; content:"x-anonymous-user-id|3a 20|"; http.request_body; content:"title"; content:"body"; content:"copy"; nocase; within:30; content:"from program|20 27|"; nocase; within:100; content:"suggested"; content:"True"; within:30; reference:cve,2024-55963; reference:url,rhinosecuritylabs.com/research/cve-2024-55963-unauthenticated-rce-in-appsmith/; classtype:attempted-admin; sid:2061291; rev:1; metadata:affected_product Appsmith, attack_target Web_Server, tls_state plaintext, created_at 2025_04_04, cve CVE_2024_55963, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2025_04_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit chain begins with unauthenticated self-registration via POST to /api/v1/users followed immediately by login to /api/v1/login — monitor for rapid sequential account creation and login from the same source IP with test/PoC credentials (e.g., [email protected] / Testing123!). ↗
- →The exploit requires the custom header 'X-Requested-By: Appsmith' on all authenticated API calls; alert on this header appearing in POST requests to /api/v1/datasources from non-administrative or newly registered accounts. ↗
- →The header 'x-anonymous-user-id' is present in exploit requests alongside 'x-requested-by: appsmith'; co-occurrence of both headers in requests to /api/v1/datasources endpoints is a strong exploit indicator.
- →The DoS vector (CVE-2024-55963 core) involves a non-admin user triggering the restart API; monitor for repeated POST requests to the Appsmith restart API endpoint from non-superuser sessions. ↗
- →The exploit targets Appsmith's internal PostgreSQL database with COPY FROM PROGRAM; inspect internal PostgreSQL logs for COPY FROM PROGRAM statements originating from the Appsmith application user. ↗
- ·The Snort/ET rule only covers plaintext (non-TLS) traffic; deployments using HTTPS will not be detected by this rule without TLS inspection.
- ·The exploit is described as unauthenticated RCE (CVSS 9.8), but the PoC code actually performs self-registration first — environments that disable open user registration may reduce but not eliminate attack surface. ↗
- ·The NVD entry describes the core CVE as a DoS via the restart API (incorrect access control), while the exploit-db PoC extends this to full RCE via PostgreSQL COPY FROM PROGRAM — defenders should treat both attack paths as in scope. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS AppSmith PostgreSQL Command Injection Attempt (CVE-2024-55963)
suricata·2025-04-04·CVSS 6.5
CVE-2024-55963 [MEDIUM] ET WEB_SPECIFIC_APPS AppSmith PostgreSQL Command Injection Attempt (CVE-2024-55963)
ET WEB_SPECIFIC_APPS AppSmith PostgreSQL Command Injection Attempt (CVE-2024-55963)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS AppSmith PostgreSQL Command Injection Attempt (CVE-2024-55963)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/v1/datasources"; startswith; content:"/schema-preview"; endswith; http.header; header_lowercase; content:"x-requested-by|3a 20|appsmith"; fast_pattern; content:"x-anonymous-user-id|3a 20|"; http.request_body; content:"title"; content:"body"; content:"copy"; nocase; within:30; content:"from program|20 27|"; nocase; within:100; content:"suggested"; content:"True"; within:30; reference:cve,2024-55963; reference:url,rhinosecuritylabs.com/research/cve-2024-55963-unauthenticated-rce-in-appsmith/; clas
2025-03-26
Published
Exploited in the wild