CVE-2024-52294: khoj has an IDOR in subscription management allows unauthorized subscription modifications

December 30, 2024

An Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users’ Stripe subscriptions by simply modifying the email parameter in the request.

References

github.com/advisories/GHSA-hq4h-w933-jm6c
github.com/khoj-ai/khoj
github.com/khoj-ai/khoj/commit/47d3c8c23597900af708bdc60aced3ae5d2064c1
github.com/khoj-ai/khoj/security/advisories/GHSA-hq4h-w933-jm6c
nvd.nist.gov/vuln/detail/CVE-2024-52294

Detect and mitigate CVE-2024-52294 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →