Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com
CVE Identifiers
* CVE-2025-[PENDING] - Excessive Data Exposure / JWT Token Leakage
* CVE-2025-[PENDING] - Broken Object Level Authorization (IDOR)
* CVE-2025-[PENDING] - Unrestricted Resource Consumption (DoS)
Executive Summary
This security advisory details three significant vulnerabilities discovered in
the Suno.com web application and API infrastructure on October 9, 2025. The
vulnerabilities include exposure of active JWT session tokens, broken
authorization controls allowing unauthorized access to private user data, and
unrestricted resource consumption enabling denial of service attacks.
Overall Risk Rating: HIGH
Vendor: Suno, Inc.
Affected Product: suno.com web application
Status: Disclosed to vendor October 9, 2025. Vendor failed to engage in
coordinated disclosure properly. Public disclosure: October 10, 2025.
Disclosure Timeline
October 9, 2025 – Vulnerabilities discovered during security assessment
October 9, 2025 – Initial disclosure email sent to Suno with redacted report
October 10, 2025 – Vendor responded disputing Finding 1, claimed unable to
reproduce Finding 2
October 10, 2025 – Researcher provided specific endpoint paths and attack
methodology
October 10, 2025 – Vendor proposed Google Forms for proof-of-concept
transmission
October 10, 2025 – Researcher rejected insecure channel, offered 5 secure
alternatives with no response
October 10, 2025 – Public disclosure initiated, CVE requests submitted
Vulnerability Details
Finding 1: Excessive Data Exposure / JWT Token Leakage
CVE-2025-[PENDING]
Severity: HIGH
CVSS 3.1 Score: 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N)
CWE: CWE-359 (Exposure of Private Information)
OWASP API Security: API3:2023 - Broken Object Property Level Authorization
Description
Multiple API endpoints return excessive sensitive data in JSON response bodies,
including active JWT session tokens, full user PII, OAuth provider details, and
internal application state. Most critically, the session management endpoint
exposes the active JWT token in plaintext JSON accessible to JavaScript.
Affected Components
/v1/client/sessions/{session_id}/touch (clerk.suno.com)
/api/feed/v2 (studio-api.prod.suno.com)
/api/user/user_config/ (studio-api.prod.suno.com)
/api/discover (studio-api.prod.suno.com)
Attack Vector
1. User authenticates normally to suno.com
2. Malicious browser extension monitors network traffic
3. Extension intercepts API response from /v1/client/sessions/{session_id}/touch
4. Attacker extracts JWT token from JSON response body
5. Attacker uses stolen JWT to hijack victim’s session in separate
browser/device
No user interaction required beyond normal application usage.
Proof of Concept (Redacted)
Request and response data show that the “last_active_token.jwt” field contains
the active session token.
Impact
* Account takeover via stolen JWT
* Privacy breach (full PII exposure)
* MFA bypass
* Potential mass exploitation
* Reconnaissance for further attacks
Validation
Controlled accounts were used to verify JWT theft and reuse for full session
hijacking.
Remediation
* Remove JWT from all API response bodies
* Store JWT in HttpOnly, Secure cookies only
* Implement token rotation
* Apply strict data filtering and minimize PII in responses
* Audit endpoints for excessive data exposure
Finding 2: Broken Object Level Authorization (IDOR)
CVE-2025-[PENDING]
Severity: HIGH
CVSS 3.1 Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
OWASP API Security: API1:2023 - Broken Object Level Authorization
Description
The API fails to perform proper server-side authorization checks on user_id
parameters, allowing authenticated users to access private content belonging to
other users.
Affected Components
/api/feed/v2 (studio-api.prod.suno.com)
/api/user/user_config/ (studio-api.prod.suno.com)
User content retrieval endpoints
Attack Vector
1. Attacker enumerates user IDs from /api/discover
2. Attacker uses victim’s user_id to query /api/feed/v2
3. Server returns private content without ownership validation
Impact
* Complete privacy breach
* Horizontal privilege escalation
* Mass data exfiltration
* Intellectual property theft
* Reconnaissance
Validation
Testing confirmed that one authenticated user could access another’s private
data with no authorization check.
Remediation
* Enforce server-side ownership validation
* Match JWT user_id to requested resource
* Centralize and audit authorization logic
* Implement cross-user access logging
* Remove user_id parameters where unnecessary
Finding 3: Unrestricted Resource Consumption (DoS)
CVE-2025-[PENDING]
Severity: MEDIUM
CVSS 3.1 Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CWE: CWE-770 (Allocation of Resources Without Limits)
OWASP API Security: API4:2023 - Unrestricted Resource Consumption
Description
The /api/clips/get_songs_by_ids endpoint allows excessive IDs in one request
without limits, causing potential resource exhaustion and DoS conditions.
Affected Components
/api/clips/get_songs_by_ids (studio-api.prod.suno.com)
/api/feed/v2 (with large page sizes)
Impact
* Denial of Service and resource exhaustion
* Service degradation
* Cascading backend failures
* Low barrier for exploitation
Remediation
* Enforce strict limit on batch request size
* Implement rate limiting and throttling
* Paginate large requests
* Add monitoring and circuit breakers
Vendor Response
Suno was notified with a formal report, business impact analysis, and secure
disclosure channel options.
Vendor Response Pattern
Finding 1: Dismissed due to misunderstanding of client-side risk.
Finding 2: Claimed unreproducible despite full details.
Finding 3: Partially acknowledged without clear remediation.
Insecure Disclosure Channel
Vendor proposed Google Forms for exploit transmission, rejected due to lack of
encryption, control, and auditability.
Decision to Disclose Publicly
After repeated non-engagement, public disclosure was initiated per standard
90-day coordinated disclosure norms to protect users.
Testing Methodology
Framework: Penetration Testing Execution Standard (PTES)
Phases: Reconnaissance, Scanning, Vulnerability Assessment, Exploitation,
Documentation
Scope: suno.com, studio-api.prod.suno.com, clerk.suno.com
Testing used only researcher-owned accounts and avoided destructive actions.
Recommendations for Users
* Assume session tokens may be compromised
* Monitor account activity
* Treat private content as potentially exposed
* Expect possible service disruption
* Limit sensitive use until remediation confirmed
Recommendations for Suno
Immediate Actions:
* Fix JWT exposure, IDOR, and DoS endpoints immediately
* Enforce secure token storage and strict authorization
Long-Term:
* Establish formal security contact and program
* Conduct OWASP API audit and external review
* Integrate secure coding and testing in CI/CD
* Implement disclosure and incident response policy
References
OWASP API Security Top 10
CWE-359, CWE-639, CWE-770
PTES
Google Project Zero Disclosure Policy
Credit
Discoverer: Christopher Dickinson
Disclosure Date: October 10, 2025
CVE Requests Submitted: October 10, 2025
Contact
Email: [email protected]
Legal
Testing was ethical, limited, and non-destructive using researcher-controlled
accounts.
No user data was accessed or exfiltrated.
Disclosure made in the interest of public safety.
Disclaimer: Provided for educational and defensive purposes only. The author is
not responsible for misuse.
Last Updated: October 10, 2025
Christopher Dickinson
Veteran | IT Professional | Cybersecurity Student | Business Management
--
Sent with https://mailfence.com
Secure and private email
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
