scoold - Authentication Bypass (CVE-2024-50334)
90Exploiting IPs reported
Scoold is a Q&A and a knowledge sharing platform for teams. A semicolon path injection vulnerability was found on the /api;/config endpoint. By appending a semicolon in the URL, attackers can bypass authentication and gain unauthorised access to sensitive configuration data. Furthermore, PUT requests on the /api;/config endpoint while setting the Content-Type: application/hocon header allow unauthenticated attackers to file reading via HOCON file inclusion. This allows attackers to retrieve sensitive information such as configuration files from the server, which can be leveraged for further exploitation. The vulnerability has been fixed in Scoold 1.64.0. A workaround would be to disable the Scoold API with scoold.api_enabled = false.
CrowdSec analysis
CVE-2024-50334 is a critical vulnerability in the Scoold Q&A platform that allows attackers to bypass authentication by exploiting a semicolon path injection on the /api;/config endpoint. This flaw enables unauthorized access to sensitive configuration data and, through crafted PUT requests with a specific content type, allows unauthenticated file reading via HOCON file inclusion. Attackers could leverage this vulnerability to retrieve confidential server files and potentially escalate their attacks further. The issue is resolved in Scoold version 1.64.0.
CrowdSec has been tracking this vulnerability and its exploits since 16th of July 2025.
CrowdSec network observations suggest that most exploitation of CVE-2024-50334 involves focused reconnaissance to identify viable targets. Attackers typically tailor their campaigns based on system exposure and configuration. It is unlikely that a given attack is accidental. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2024-50334. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.
Attackers exploit a semicolon path injection on the /api;/config endpoint using a PUT request to bypass authentication and access sensitive configuration data in vulnerable Scoold instances.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.