7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-57610

GHSA ID

GHSA-2hjh-495w-hmxc

EPSS Score

0.81869%

CWE

CWE-307

Published

2/6/2025

Updated

2/7/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-57610

CVE-2024-57610: Withdrawn Advisory: Sylius allows unrestricted brute-force attacks on user accounts

Withdrawn Advisory

This advisory has been withdrawn because it is not a vulnerability in the Sylius framework. This link is maintained to preserve external references.

Original Description

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use "firewalls, rate-limiting middleware, or authentication providers" for that functionality.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-57610

GHSA ID

GHSA-2hjh-495w-hmxc

EPSS Score

0.81869%

CWE

CWE-307

Published

2/6/2025

Updated

2/7/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
sylius/sylius	composer	<= 2.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Sylius' authentication flow not containing built-in rate limiting. While the SecurityController::loginAction is the primary entry point for authentication requests, its vulnerability is contextual - it becomes an attack vector when deployed without complementary security layers like firewalls or rate-limiting middleware. The medium confidence reflects that the vulnerability exists in the absence of security features rather than an explicit code flaw, consistent with the vendor's position that protection is expected to be implemented at the infrastructure level.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Wit**r*wn **visory T*is **visory **s ***n wit**r*wn ****us* it is not * vuln*r**ility in t** Sylius *r*m*work. T*is link is m*int*in** to pr*s*rv* *xt*rn*l r***r*n**s. ## Ori*in*l **s*ription * r*t* limitin* issu* in Sylius v*.*.* *llows * r*mot*

Reasoning

T** vuln*r**ility st*ms *rom Sylius' *ut**nti**tion *low not *ont*inin* *uilt-in r*t* limitin*. W*il* t** `S**urity*ontroll*r::lo*in**tion` is t** prim*ry *ntry point *or *ut**nti**tion r*qu*sts, its vuln*r**ility is *ont*xtu*l - it ***om*s *n *tt**k

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-57610: Withdrawn Advisory: Sylius allows unrestricted brute-force attacks on user accounts

Withdrawn Advisory

Original Description

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI