DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-93FX-5QGC-WR38: GHSA-93FX-5QGC-WR38: Authenticated Remote Code Execution via Liquidsoap Interpolation in AzuraCast

#security #cve #cybersecurity #ghsa

GHSA-93FX-5QGC-WR38: Authenticated Remote Code Execution via Liquidsoap Interpolation in AzuraCast

Vulnerability ID: GHSA-93FX-5QGC-WR38
CVSS Score: 8.8
Published: 2026-03-09

AzuraCast versions prior to 0.23.4 contain a Remote Code Execution (RCE) vulnerability. The flaw exists in the ConfigWriter class, which fails to properly sanitize user-supplied metadata before writing it to Liquidsoap configuration files. This allows authenticated users to inject arbitrary commands via Liquidsoap's string interpolation functionality.

TL;DR

Authenticated Remote Code Execution in AzuraCast via improper sanitization of Liquidsoap configuration files, fixed in version 0.23.4.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-94 (Improper Control of Generation of Code)
  • Attack Vector: Network
  • Privileges Required: Low (Authenticated)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • AzuraCast installations prior to 0.23.4
  • AzuraCast: < 0.23.4 (Fixed in: 0.23.4)

Code Analysis

Commit: d04b5c5

Initial incomplete patch utilizing preg_replace

Commit: ff49ef4

Final patch introducing the toRawString method and randomized literal string tags

Mitigation Strategies

  • Upgrade AzuraCast to version 0.23.4 or later.
  • Restrict user permissions in multi-tenant environments.
  • Disable 'Custom Liquidsoap Configuration' for untrusted users.
  • Run the Liquidsoap process as a highly restricted system user.

Remediation Steps:

  1. Log into the server hosting the AzuraCast instance.
  2. Initiate the standard AzuraCast update process (e.g., using the docker.sh update script).
  3. Verify the application version is successfully updated to 0.23.4.
  4. Audit existing liquidsoap.liq files for unexpected string interpolation patterns.

References

Read the full report for GHSA-93FX-5QGC-WR38 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)