lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <339351618.92106.1760107908282@fidget.co-bxl>
Date: Fri, 10 Oct 2025 16:51:48 +0200 (CEST)
From: Christopher Dickinson via Fulldisclosure <fulldisclosure@...lists.org>
To: fulldisclosure@...lists.org
Subject: [FD] Security Advisory: Multiple High-Severity Vulnerabilities in
 Suno.com (JWT Leakage, IDOR, DoS)

Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com

CVE Identifiers

* CVE-2025-[PENDING] - Excessive Data Exposure / JWT Token Leakage
* CVE-2025-[PENDING] - Broken Object Level Authorization (IDOR)
* CVE-2025-[PENDING] - Unrestricted Resource Consumption (DoS)

Executive Summary
This security advisory details three significant vulnerabilities discovered in the Suno.com web application and API infrastructure on October 9, 2025. The vulnerabilities include exposure of active JWT session tokens, broken authorization controls allowing unauthorized access to private user data, and unrestricted resource consumption enabling denial of service attacks.

Overall Risk Rating: HIGH
Vendor: Suno, Inc.
Affected Product: suno.com web application
Status: Disclosed to vendor October 9, 2025. Vendor failed to engage in coordinated disclosure properly. Public disclosure: October 10, 2025.

Disclosure Timeline
October 9, 2025 – Vulnerabilities discovered during security assessment
October 9, 2025 – Initial disclosure email sent to Suno with redacted report
October 10, 2025 – Vendor responded disputing Finding 1, claimed unable to reproduce Finding 2
October 10, 2025 – Researcher provided specific endpoint paths and attack methodology
October 10, 2025 – Vendor proposed Google Forms for proof-of-concept transmission
October 10, 2025 – Researcher rejected insecure channel, offered 5 secure alternatives with no response
October 10, 2025 – Public disclosure initiated, CVE requests submitted

Vulnerability Details

Finding 1: Excessive Data Exposure / JWT Token Leakage
CVE-2025-[PENDING]
Severity: HIGH
CVSS 3.1 Score: 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)
CWE: CWE-359 (Exposure of Private Information)
OWASP API Security: API3:2023 - Broken Object Property Level Authorization

Description
Multiple API endpoints return excessive sensitive data in JSON response bodies, including active JWT session tokens, full user PII, OAuth provider details, and internal application state. Most critically, the session management endpoint exposes the active JWT token in plaintext JSON accessible to JavaScript.

Affected Components
/v1/client/sessions/{session_id}/touch (clerk.suno.com)
/api/feed/v2 (studio-api.prod.suno.com)
/api/user/user_config/ (studio-api.prod.suno.com)
/api/discover (studio-api.prod.suno.com)

Attack Vector

1. User authenticates normally to suno.com
2. Malicious browser extension monitors network traffic
3. Extension intercepts API response from /v1/client/sessions/{session_id}/touch
4. Attacker extracts JWT token from JSON response body
5. Attacker uses stolen JWT to hijack victim’s session in separate browser/device
   No user interaction required beyond normal application usage.

Proof of Concept (Redacted)
Request and response data show that the “last_active_token.jwt” field contains the active session token.

Impact

* Account takeover via stolen JWT
* Privacy breach (full PII exposure)
* MFA bypass
* Potential mass exploitation
* Reconnaissance for further attacks

Validation
Controlled accounts were used to verify JWT theft and reuse for full session hijacking.

Remediation

* Remove JWT from all API response bodies
* Store JWT in HttpOnly, Secure cookies only
* Implement token rotation
* Apply strict data filtering and minimize PII in responses
* Audit endpoints for excessive data exposure

Finding 2: Broken Object Level Authorization (IDOR)
CVE-2025-[PENDING]
Severity: HIGH
CVSS 3.1 Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
OWASP API Security: API1:2023 - Broken Object Level Authorization

Description
The API fails to perform proper server-side authorization checks on user_id parameters, allowing authenticated users to access private content belonging to other users.

Affected Components
/api/feed/v2 (studio-api.prod.suno.com)
/api/user/user_config/ (studio-api.prod.suno.com)
User content retrieval endpoints

Attack Vector

1. Attacker enumerates user IDs from /api/discover
2. Attacker uses victim’s user_id to query /api/feed/v2
3. Server returns private content without ownership validation

Impact

* Complete privacy breach
* Horizontal privilege escalation
* Mass data exfiltration
* Intellectual property theft
* Reconnaissance

Validation
Testing confirmed that one authenticated user could access another’s private data with no authorization check.

Remediation

* Enforce server-side ownership validation
* Match JWT user_id to requested resource
* Centralize and audit authorization logic
* Implement cross-user access logging
* Remove user_id parameters where unnecessary

Finding 3: Unrestricted Resource Consumption (DoS)
CVE-2025-[PENDING]
Severity: MEDIUM
CVSS 3.1 Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CWE: CWE-770 (Allocation of Resources Without Limits)
OWASP API Security: API4:2023 - Unrestricted Resource Consumption

Description
The /api/clips/get_songs_by_ids endpoint allows excessive IDs in one request without limits, causing potential resource exhaustion and DoS conditions.

Affected Components
/api/clips/get_songs_by_ids (studio-api.prod.suno.com)
/api/feed/v2 (with large page sizes)

Impact

* Denial of Service and resource exhaustion
* Service degradation
* Cascading backend failures
* Low barrier for exploitation

Remediation

* Enforce strict limit on batch request size
* Implement rate limiting and throttling
* Paginate large requests
* Add monitoring and circuit breakers

Vendor Response
Suno was notified with a formal report, business impact analysis, and secure disclosure channel options.

Vendor Response Pattern
Finding 1: Dismissed due to misunderstanding of client-side risk.
Finding 2: Claimed unreproducible despite full details.
Finding 3: Partially acknowledged without clear remediation.

Insecure Disclosure Channel
Vendor proposed Google Forms for exploit transmission, rejected due to lack of encryption, control, and auditability.

Decision to Disclose Publicly
After repeated non-engagement, public disclosure was initiated per standard 90-day coordinated disclosure norms to protect users.

Testing Methodology
Framework: Penetration Testing Execution Standard (PTES)
Phases: Reconnaissance, Scanning, Vulnerability Assessment, Exploitation, Documentation
Scope: suno.com, studio-api.prod.suno.com, clerk.suno.com
Testing used only researcher-owned accounts and avoided destructive actions.

Recommendations for Users

* Assume session tokens may be compromised
* Monitor account activity
* Treat private content as potentially exposed
* Expect possible service disruption
* Limit sensitive use until remediation confirmed

Recommendations for Suno
Immediate Actions:

* Fix JWT exposure, IDOR, and DoS endpoints immediately
* Enforce secure token storage and strict authorization
  Long-Term:
* Establish formal security contact and program
* Conduct OWASP API audit and external review
* Integrate secure coding and testing in CI/CD
* Implement disclosure and incident response policy

References
OWASP API Security Top 10
CWE-359, CWE-639, CWE-770
PTES
Google Project Zero Disclosure Policy

Credit
Discoverer: Christopher Dickinson
Disclosure Date: October 10, 2025
CVE Requests Submitted: October 10, 2025

Contact
Email: chris.dickinson@...lfence.com

Legal
Testing was ethical, limited, and non-destructive using researcher-controlled accounts.
No user data was accessed or exfiltrated.
Disclosure made in the interest of public safety.

Disclaimer: Provided for educational and defensive purposes only. The author is not responsible for misuse.

Last Updated: October 10, 2025
Christopher Dickinson
Veteran | IT Professional | Cybersecurity Student | Business Management


-- 
Sent with https://mailfence.com  
Secure and private email
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ