{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/azuracast/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AzuraCast (\u003c= 0.23.5)"],"_cs_severities":["high"],"_cs_tags":["azuracast","code-injection","liquidsoap","ghsa"],"_cs_type":"advisory","_cs_vendors":["AzuraCast"],"content_html":"\u003cp\u003eAzuraCast versions 0.23.5 and earlier are vulnerable to a Liquidsoap code injection vulnerability in the remote relay password field. This flaw stems from an incomplete migration of user-controlled fields from the vulnerable \u003ccode\u003ecleanUpString()\u003c/code\u003e method to the safe \u003ccode\u003etoRawString()\u003c/code\u003e method. Specifically, while commit \u003ccode\u003eff49ef4\u003c/code\u003e (dated 2026-03-06) addressed most fields, the remote relay password field continues to use \u003ccode\u003ecleanUpString()\u003c/code\u003e, which can be bypassed via nested Liquidsoap interpolation syntax (\u003ccode\u003e#{#{EXPR}}\u003c/code\u003e). An attacker with the \u003ccode\u003eRemoteRelays\u003c/code\u003e station permission can exploit this to inject arbitrary Liquidsoap code, potentially achieving remote code execution, disclosing internal API keys, reading and writing files within the Liquidsoap container, and disrupting station operation. This vulnerability allows attackers with minimal privileges to escalate their access within the AzuraCast environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker with \u003ccode\u003eRemoteRelays\u003c/code\u003e station permission crafts a malicious payload containing nested Liquidsoap interpolation syntax (\u003ccode\u003e#{#{EXPR}}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePUT\u003c/code\u003e request to \u003ccode\u003e/api/station/{station_id}/remote/{id}\u003c/code\u003e to update the remote relay\u0026rsquo;s password, including the crafted payload in the \u003ccode\u003esource_password\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emb_substr\u003c/code\u003e function truncates the password to 100 characters, but the payload remains within this limit.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eConfigWriter::getOutputString()\u003c/code\u003e function calls the vulnerable \u003ccode\u003ecleanUpString()\u003c/code\u003e method on the password during station configuration regeneration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecleanUpString()\u003c/code\u003e method\u0026rsquo;s ungreedy regex fails to properly sanitize the nested interpolation, resulting in a bypass.\u003c/li\u003e\n\u003cli\u003eThe bypassed payload is embedded within a double-quoted string in the Liquidsoap configuration file.\u003c/li\u003e\n\u003cli\u003eThe Liquidsoap process loads the updated configuration file, triggering the evaluation of the injected Liquidsoap code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the Liquidsoap process container or gains access to sensitive information, such as the internal API key.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to severe consequences, including arbitrary code execution within the Liquidsoap process container, potentially compromising the entire AzuraCast installation. The disclosure of the internal API key grants the attacker full control over the station\u0026rsquo;s API. Furthermore, the ability to read and write files within the Liquidsoap container allows for further exploitation and persistence. The attacker can also disrupt station operation by injecting malicious configurations that crash the Liquidsoap process. The low privilege requirement (only \u003ccode\u003eRemoteRelays\u003c/code\u003e permission) makes this vulnerability highly accessible to malicious actors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately replace the \u003ccode\u003ecleanUpString()\u003c/code\u003e method with \u003ccode\u003etoRawString()\u003c/code\u003e for the remote relay password field in \u003ccode\u003eConfigWriter.php\u003c/code\u003e, as described in the provided fix, to prevent Liquidsoap code injection.\u003c/li\u003e\n\u003cli\u003eAdjust the Shoutcast suffix append logic to ensure compatibility with raw strings after applying the \u003ccode\u003etoRawString()\u003c/code\u003e fix in \u003ccode\u003eConfigWriter.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AzuraCast Liquidsoap Code Injection via API\u0026rdquo; to detect attempts to exploit this vulnerability through malicious API requests targeting the remote relay password field.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for PUT requests to \u003ccode\u003e/api/station/*/remote/*\u003c/code\u003e containing the string \u003ccode\u003e#{#{\u003c/code\u003e in the request body, indicating a potential injection attempt, as shown in the PoC.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:19:55Z","date_published":"2026-05-04T21:19:55Z","id":"/briefs/2024-01-azuracast-liquidsoap-injection/","summary":"AzuraCast is vulnerable to a Liquidsoap code injection vulnerability due to the incomplete migration from `cleanUpString()` to `toRawString()` in the remote relay password field, allowing a user with the `RemoteRelays` station permission to inject arbitrary Liquidsoap code by exploiting nested interpolation syntax, leading to arbitrary code execution, API key disclosure, and station disruption.","title":"AzuraCast Liquidsoap Code Injection in Remote Relay Password","url":"https://feed.craftedsignal.io/briefs/2024-01-azuracast-liquidsoap-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["azuracast (\u003c= 0.23.5)"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","azuracast","webserver"],"_cs_type":"advisory","_cs_vendors":["composer"],"content_html":"\u003cp\u003eAzuraCast, a self-hosted web radio management suite, is susceptible to a critical path traversal vulnerability (CVE-2026-42605) in its Flow.js media upload endpoint (\u003ccode\u003e/api/station/{station_id}/files/upload\u003c/code\u003e). This flaw allows an authenticated user with media management permissions, such as a DJ or station manager, to bypass file storage directory restrictions. By manipulating the \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter during file uploads, attackers can write arbitrary files to locations outside the intended media directory. The vulnerability is present in versions up to and including 0.23.5, and exploitation leads to remote code execution via PHP webshell upload, potentially resulting in full server compromise. The default local filesystem storage backend is required for exploitation; S3 or remote storage is not vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the AzuraCast web interface with a valid user account that has the \u003ccode\u003eStationPermissions::Media\u003c/code\u003e permission (e.g., DJ or Station Manager).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/station/{station_id}/files/upload\u003c/code\u003e endpoint, targeting a station that uses local storage.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter containing path traversal sequences (e.g., \u003ccode\u003e../../../../../var/azuracast/www/public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request also includes a PHP webshell file (\u003ccode\u003eshell.php\u003c/code\u003e) as the \u003ccode\u003efile_data\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server-side code in \u003ccode\u003eFlowUploadAction.php\u003c/code\u003e concatenates the unsanitized \u003ccode\u003ecurrentDirectory\u003c/code\u003e value with the sanitized filename.\u003c/li\u003e\n\u003cli\u003eThe server attempts to process the uploaded file, but the \u003ccode\u003e.php\u003c/code\u003e extension triggers a \u003ccode\u003eCannotProcessMediaException\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efinally\u003c/code\u003e block in \u003ccode\u003eMediaProcessor.php\u003c/code\u003e executes, calling \u003ccode\u003eLocalFilesystem::upload()\u003c/code\u003e to copy the file to the concatenated path, bypassing normal path sanitization due to \u003ccode\u003ePathPrefixer::prefixPath()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe webshell is written to the web root, allowing the attacker to execute arbitrary commands by accessing the webshell via HTTP.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on the AzuraCast server. This can lead to full server compromise, including reading sensitive configuration files (database credentials, API keys), accessing all station data, modifying application code, and potentially escalating privileges to root. A DJ-level user, the lowest privileged role with media access, can achieve the equivalent of full system administrator access, resulting in data exfiltration and complete control over the AzuraCast instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the vendor-provided patch by sanitizing the \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameter in \u003ccode\u003eFlowUploadAction.php\u003c/code\u003e using \u003ccode\u003eUploadedFile::filterClientPath()\u003c/code\u003e to prevent path traversal.\u003c/li\u003e\n\u003cli\u003eImplement path normalization in \u003ccode\u003eLocalFilesystem::upload()\u003c/code\u003e to prevent traversal even after concatenation, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AzuraCast Webshell Upload via Path Traversal\u0026rdquo; to identify exploitation attempts based on suspicious \u003ccode\u003ecurrentDirectory\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to unusual PHP files in the web root directory, such as \u003ccode\u003eshell.php\u003c/code\u003e as described in the PoC.\u003c/li\u003e\n\u003cli\u003eEnsure that AzuraCast instances do not grant excessive permissions to users; minimize the number of accounts with \u003ccode\u003eStationPermissions::Media\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-azuracast-rce/","summary":"AzuraCast is vulnerable to path traversal in the Flow.js media upload endpoint, allowing authenticated users with media permissions to write arbitrary files, leading to remote code execution via PHP webshell upload.","title":"AzuraCast Path Traversal Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-azuracast-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Azuracast","version":"https://jsonfeed.org/version/1.1"}