Suno.com security disclosure: JWT token leakage, IDOR, and DoS vulnerabilities (github.com)

On October 9–10, 2025 a security researcher publicly disclosed three high‑risk vulnerabilities in Suno.com’s web and API stack: (1) excessive data exposure that returns active JWT session tokens in JSON (CVSS 7.1), (2) broken object‑level authorization (IDOR) that lets any authenticated user fetch other users’ private content (CVSS 6.5), and (3) unrestricted resource consumption on batch endpoints that enables trivial Denial‑of‑Service (CVSS 6.5). Affected endpoints include clerk.suno.com/v1/client/sessions/{session_id}/touch and studio-api.prod.suno.com endpoints (/api/feed/v2, /api/user/user_config/, /api/discover, /api/clips/get_songs_by_ids). The researcher demonstrated practical exploits: a malicious browser extension can harvest JWTs from JSON responses to hijack sessions (bypassing MFA and exposing full PII and OAuth details), IDOR lets attackers enumerate user IDs and pull private songs, prompts and generation history, and unconstrained batch requests (tested with 54+ IDs) can exhaust CPU, memory and DB connections. This disclosure is significant because it combines session token leakage, authorization bypass, and scalability flaws that enable account takeover, mass privacy breaches and large‑scale DoS with low attacker privileges. The researcher reported the issues and requested secure channels; Suno’s responses were inconsistent (disputes, inability to reproduce, and a Google Forms suggestion), prompting public disclosure. Immediate mitigations recommended: remove JWTs from API responses and store them in HttpOnly Secure cookies with rotation, enforce server‑side ownership checks for all user_id parameters, impose strict server limits/pagination and rate limiting on batch endpoints, centralize authorization, and audit APIs per OWASP API Security guidance.