CVE-2026-42605
Path Traversal in AzuraCast Leading to RCE
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| azuracast | azuracast | to 0.23.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42605 is a path traversal vulnerability in AzuraCast versions 0.23.5 and earlier. It occurs because the currentDirectory parameter in the Flow.js media upload endpoint is not properly sanitized, allowing an authenticated user with media management permissions to write files outside the intended media storage directory.
This vulnerability enables an attacker to upload arbitrary files, including PHP webshells, to the web root directory. This can lead to remote code execution, allowing the attacker to execute system commands with the privileges of the AzuraCast application user.
The issue arises because the currentDirectory parameter is concatenated after filename sanitization, reintroducing path traversal sequences like "../". Although uploading a PHP file triggers an exception due to invalid MIME type, the file is still copied to the traversed path before the exception propagates.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution on the server hosting AzuraCast. An attacker with media management permissions can upload a PHP webshell, gaining the ability to execute arbitrary system commands.
Exploitation can lead to full server compromise, privilege escalation, and unauthorized access to sensitive data such as database credentials, API keys, and application secrets.
The vulnerability has a high CVSS score of 8.8, indicating a high severity with network attack vector, low attack complexity, and no user interaction required.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized file writes outside the intended media storage directory, especially PHP files that could be webshells.
Since exploitation requires an authenticated user with media management permissions to upload files via the Flow.js media upload endpoint, reviewing logs for suspicious POST requests to /api/station/{station_id}/files/upload with unusual path traversal sequences in the currentDirectory parameter (e.g., ../) is recommended.
- Check web server or application logs for POST requests containing '../' or other path traversal patterns in the currentDirectory parameter.
- Use commands like grep or similar to search logs, for example: grep -r "currentDirectory=.*\.\./" /path/to/azuracast/logs
- Scan the filesystem for unexpected PHP files outside the media storage directory, for example: find /var/azuracast/www/public -name '*.php' -type f
- Monitor for recently created or modified files outside the expected media directories that could indicate a webshell upload.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade AzuraCast to version 0.23.6 or later, where the vulnerability has been patched.
If upgrading immediately is not possible, restrict media management permissions to trusted users only, as exploitation requires authenticated users with such permissions.
Implement monitoring and alerting for suspicious file uploads and path traversal attempts.
Consider using remote storage backends (e.g., S3) instead of the default local filesystem storage backend, as remote backends are not affected by this vulnerability.
Review and sanitize inputs to the currentDirectory parameter and ensure path normalization is enforced if custom patches or workarounds are applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated user with media management permissions to achieve remote code execution by writing arbitrary files outside the intended media storage directory, potentially leading to full server compromise.
Such a compromise can result in unauthorized access to sensitive data including database credentials, API keys, and application secrets.
This exposure and potential data breach could negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access.