CVE-2024-24829: Sentry is an error tracking and performance monitoring platform. Sentry’s integration platform provides a way for external services to interact with S...

Description

Sentry is an error tracking and performance monitoring platform. Sentry’s integration platform provides a way for external services to interact with Sentry. One of such integrations, the Phabricator integration (maintained by Sentry) with version <=24.1.1 contains a constrained SSRF vulnerability. An attacker could make Sentry send POST HTTP requests to arbitrary URLs (including internal IP addresses) by providing an unsanitized input to the Phabricator integration. However, the body payload is constrained to a specific format. If an attacker has access to a Sentry instance, this allows them to: 1. interact with internal network; 2. scan local/remote ports. This issue has been fixed in Sentry self-hosted release 24.1.2, and has already been mitigated on sentry.io on February 8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

0.47%

37.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Sentry	Sentry	>= 9.1.0, < 24.1.2

References

https://github.com/getsentry/self-hosted/releases/tag/24.1.2Release Notes
https://github.com/getsentry/sentry/pull/64882Issue Tracking
https://github.com/getsentry/sentry/security/advisories/GHSA-rqxh-fp9p-p98rThird Party Advisory
https://github.com/getsentry/self-hosted/releases/tag/24.1.2Release Notes
https://github.com/getsentry/sentry/pull/64882Issue Tracking
https://github.com/getsentry/sentry/security/advisories/GHSA-rqxh-fp9p-p98rThird Party Advisory

Timeline

Published: Feb 9, 2024
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2024-24829?

Sentry is an error tracking and performance monitoring platform. Sentry’s integration platform provides a way for external services to interact with Sentry. One of such integrations, the Phabricator integration (maintained by Sentry) with version <=24.1.1 contains a constrained SSRF vulnerability. An attacker could make Sentry send POST HTTP requests to arbitrary URLs (including internal IP addresses) by providing an unsanitized input to the Phabricator integration. However, the body payload is constrained to a specific format. If an attacker has access to a Sentry instance, this allows them to: 1. interact with internal network; 2. scan local/remote ports. This issue has been fixed in Sentry self-hosted release 24.1.2, and has already been mitigated on sentry.io on February 8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

How severe is CVE-2024-24829?

CVE-2024-24829 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.47% probability of exploitation in the next 30 days.

How do I fix CVE-2024-24829?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.