Volerion logoVolerion
Volerion logoVolerion

Inedo ProGet Reflection Vulnerability Leading to Denial-of-Service and Information Disclosure

Vulnerability

A vulnerability in Inedo ProGet versions through 2024.22 allows remote attackers to access restricted functionality via the C# reflection layer. This can lead to a denial-of-service condition or the unauthorized disclosure of sensitive information. The issue arises when anonymous access is enabled or in the event of a successful cross-site request forgery (CSRF) attack.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by repeatedly restarting the ProGet web application, disrupting service availability.

Reproduction

The vulnerability can be reproduced by sending a looped request to the 'RestartWeb' endpoint of the ProGet web application. This can be done using a web browser or a script that automates the request process. The attack takes advantage of the application's lack of proper CSRF protections, allowing the request to be executed without authentication.

Remediation

Users are advised to update to ProGet version 2024.37 or later, where this vulnerability has been addressed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
1.4
impact
5.0
exploitability
7.4
remediation
8.3
relevance
0.0
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.