CVE-2025-67737
Unauthorized API Access in AzuraCast Enables Database Manipulation
Publication date: 2025-12-12
Last updated on: 2026-02-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| azuracast | azuracast | to 0.23.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in AzuraCast version 0.23.1 involves an API endpoint that was intended only for internal use by the SFTP software sftpgo but was mistakenly exposed to the public-facing HTTP API. A user with specific internal knowledge, including a valid SFTP station username and the internal filesystem structure, can craft a custom HTTP request to modify the contents of a station's database without revealing internal information about the station. This issue is fixed in version 0.23.2.
How can this vulnerability impact me? :
The vulnerability allows a malicious user who has certain internal knowledge to alter the contents of a station's database via the exposed API endpoint. This could lead to unauthorized modifications of data within the AzuraCast system, potentially disrupting operations or corrupting data.
What immediate steps should I take to mitigate this vulnerability?
Upgrade AzuraCast to version 0.23.2 or later, as this version fixes the vulnerability by removing the mistakenly exposed internal API endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with specific internal knowledge to modify database records related to media files, causing partial data loss and integrity compromise. However, it does not disclose any confidential information or personal data. Given the low severity and the nature of the impact (no confidentiality breach, only low integrity impact), this vulnerability may pose a limited risk to compliance with standards like GDPR or HIPAA, which emphasize data confidentiality and integrity. Organizations relying on AzuraCast should consider the potential impact on data integrity and ensure proper access controls and patching to maintain compliance. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the internal API endpoint `/api/internal/sftp-event` is accessible from outside the localhost. One way to test this is by sending a crafted HTTP POST request to the endpoint and observing if it is accepted. For example, you can use the following curl command to test access locally or remotely (replace localhost with your server's IP if testing remotely): ```curl -s -X POST "http://localhost/api/internal/sftp-event" -H "Content-Type: application/json" -d '{ "action": "pre-delete", "username": "admin", "path": "/var/azuracast/stations/test/media/test.mp3" }'``` If this request is accepted externally (not just from localhost), your system is vulnerable. Additionally, you can scan your network or system for the presence of this endpoint being accessible externally. The patch restricts this endpoint to internal connections only, so if your version is older than 0.23.2 and the endpoint is reachable externally, the vulnerability exists. [1]