{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/azuracast/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AzuraCast (\u003c= 0.23.5)"],"_cs_severities":["high"],"_cs_tags":["azuracast","code-injection","liquidsoap","ghsa"],"_cs_type":"advisory","_cs_vendors":["AzuraCast"],"content_html":"\u003cp\u003eAzuraCast versions 0.23.5 and earlier are vulnerable to a Liquidsoap code injection vulnerability in the remote relay password field. This flaw stems from an incomplete migration of user-controlled fields from the vulnerable \u003ccode\u003ecleanUpString()\u003c/code\u003e method to the safe \u003ccode\u003etoRawString()\u003c/code\u003e method. Specifically, while commit \u003ccode\u003eff49ef4\u003c/code\u003e (dated 2026-03-06) addressed most fields, the remote relay password field continues to use \u003ccode\u003ecleanUpString()\u003c/code\u003e, which can be bypassed via nested Liquidsoap interpolation syntax (\u003ccode\u003e#{#{EXPR}}\u003c/code\u003e). An attacker with the \u003ccode\u003eRemoteRelays\u003c/code\u003e station permission can exploit this to inject arbitrary Liquidsoap code, potentially achieving remote code execution, disclosing internal API keys, reading and writing files within the Liquidsoap container, and disrupting station operation. This vulnerability allows attackers with minimal privileges to escalate their access within the AzuraCast environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker with \u003ccode\u003eRemoteRelays\u003c/code\u003e station permission crafts a malicious payload containing nested Liquidsoap interpolation syntax (\u003ccode\u003e#{#{EXPR}}\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePUT\u003c/code\u003e request to \u003ccode\u003e/api/station/{station_id}/remote/{id}\u003c/code\u003e to update the remote relay\u0026rsquo;s password, including the crafted payload in the \u003ccode\u003esource_password\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emb_substr\u003c/code\u003e function truncates the password to 100 characters, but the payload remains within this limit.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eConfigWriter::getOutputString()\u003c/code\u003e function calls the vulnerable \u003ccode\u003ecleanUpString()\u003c/code\u003e method on the password during station configuration regeneration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecleanUpString()\u003c/code\u003e method\u0026rsquo;s ungreedy regex fails to properly sanitize the nested interpolation, resulting in a bypass.\u003c/li\u003e\n\u003cli\u003eThe bypassed payload is embedded within a double-quoted string in the Liquidsoap configuration file.\u003c/li\u003e\n\u003cli\u003eThe Liquidsoap process loads the updated configuration file, triggering the evaluation of the injected Liquidsoap code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the Liquidsoap process container or gains access to sensitive information, such as the internal API key.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to severe consequences, including arbitrary code execution within the Liquidsoap process container, potentially compromising the entire AzuraCast installation. The disclosure of the internal API key grants the attacker full control over the station\u0026rsquo;s API. Furthermore, the ability to read and write files within the Liquidsoap container allows for further exploitation and persistence. The attacker can also disrupt station operation by injecting malicious configurations that crash the Liquidsoap process. The low privilege requirement (only \u003ccode\u003eRemoteRelays\u003c/code\u003e permission) makes this vulnerability highly accessible to malicious actors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately replace the \u003ccode\u003ecleanUpString()\u003c/code\u003e method with \u003ccode\u003etoRawString()\u003c/code\u003e for the remote relay password field in \u003ccode\u003eConfigWriter.php\u003c/code\u003e, as described in the provided fix, to prevent Liquidsoap code injection.\u003c/li\u003e\n\u003cli\u003eAdjust the Shoutcast suffix append logic to ensure compatibility with raw strings after applying the \u003ccode\u003etoRawString()\u003c/code\u003e fix in \u003ccode\u003eConfigWriter.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AzuraCast Liquidsoap Code Injection via API\u0026rdquo; to detect attempts to exploit this vulnerability through malicious API requests targeting the remote relay password field.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for PUT requests to \u003ccode\u003e/api/station/*/remote/*\u003c/code\u003e containing the string \u003ccode\u003e#{#{\u003c/code\u003e in the request body, indicating a potential injection attempt, as shown in the PoC.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T21:19:55Z","date_published":"2026-05-04T21:19:55Z","id":"/briefs/2024-01-azuracast-liquidsoap-injection/","summary":"AzuraCast is vulnerable to a Liquidsoap code injection vulnerability due to the incomplete migration from `cleanUpString()` to `toRawString()` in the remote relay password field, allowing a user with the `RemoteRelays` station permission to inject arbitrary Liquidsoap code by exploiting nested interpolation syntax, leading to arbitrary code execution, API key disclosure, and station disruption.","title":"AzuraCast Liquidsoap Code Injection in Remote Relay Password","url":"https://feed.craftedsignal.io/briefs/2024-01-azuracast-liquidsoap-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — AzuraCast","version":"https://jsonfeed.org/version/1.1"}