7.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-29887

CVE-2024-29887: Serverpod client accepts any certificate

This bug bypassed the validation of TSL certificates on all none web HTTP clients in the serverpod_client package. Making them susceptible to a man in the middle attack against encrypted traffic between the client device and the server.

An attacker would need to be able to intercept the traffic and highjack the connection to the server for this vulnerability to be used.

Impact

All versions of serverpod_client pre 1.2.6

Patches

Upgrading to version 1.2.6 resolves this issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-29887

CVE-2024-29887:

7.4

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
serverpod_client	pub	< 1.2.6	1.2.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows removal of a badCertificateCallback override in serverpod_client_io.dart that unconditionally returned true. This callback is responsible for certificate validation in Dart's HttpClient. By forcing it to always accept certificates, it disabled TLS validation entirely. The patch removed this insecure override, restoring proper certificate validation. The test file addition confirms the fix by verifying handshake failures with invalid certificates.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-29887: Serverpod client accepts any certificate

Impact

Patches

CVE-2024-29887:

7.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

CVE-2024-29887: Serverpod client accepts any certificate

Impact

Patches

Technical Details

7.4

7.4

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI