CVE-2024-55008 identifies a denial-of-service vulnerability in the authentication mechanism of JATOS version 3.9.4, a platform commonly used for online behavioral experiments. The vulnerability arises from an account lockout mechanism that triggers after multiple failed login attempts. Specifically, an attacker can submit three incorrect login attempts every minute against any user account, causing that account to become locked indefinitely. The lockout is applied per user account rather than per IP address, enabling attackers to target any user, including privileged accounts, without needing to authenticate or interact with the user. This flaw allows attackers to disrupt legitimate user access, effectively denying service at the account level. The vulnerability is rated with a CVSS v3.1 score of 7.5 (high severity), reflecting its network attack vector, low complexity, no privileges required, and no user interaction needed. The impact is limited to availability, with no direct confidentiality or integrity compromise. No patches or fixes have been published yet, and no known exploits are reported in the wild. The underlying weakness corresponds to CWE-307, which concerns improper restriction of excessive authentication attempts, highlighting a design flaw in the lockout implementation. Organizations relying on JATOS 3.9.4 should be aware of this vulnerability and consider immediate mitigations to prevent account lockout abuse.

The primary impact of CVE-2024-55008 is the denial of service at the user account level, potentially locking out legitimate users indefinitely. This can disrupt research activities, data collection, and experiment participation in organizations using JATOS 3.9.4, particularly academic institutions and research labs. Since the lockout applies per account and not per IP, attackers can target multiple users, including administrators, causing widespread disruption. The inability of legitimate users to access their accounts can delay or halt critical operations, reduce productivity, and damage organizational reputation. Although confidentiality and integrity are not directly impacted, the availability loss can indirectly affect data collection and experiment validity. The ease of exploitation—requiring no authentication or user interaction—makes this vulnerability attractive for attackers aiming to cause disruption. The lack of a patch increases the risk window, especially for organizations with high user counts or sensitive research timelines.

Until an official patch is released, organizations should implement compensating controls to mitigate the risk of account lockout abuse. These include: 1) Monitoring authentication logs to detect and alert on repeated failed login attempts targeting user accounts. 2) Implementing rate limiting or CAPTCHA challenges on login attempts to slow down automated attack attempts. 3) Adjusting the account lockout policy to consider IP address or implement progressive delays rather than indefinite lockouts. 4) Enabling multi-factor authentication (MFA) to reduce reliance on password-based authentication and limit the impact of lockouts. 5) Providing administrators with the ability to quickly unlock accounts or temporarily disable lockout mechanisms during attack periods. 6) Isolating critical administrative accounts from general user accounts to reduce attack surface. 7) Educating users about reporting lockout incidents promptly. Organizations should also track vendor communications for patches and apply them immediately upon release.