DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-XV8G-FJ9H-6GMV: GHSA-xv8g-fj9h-6gmv: Missing Authentication in Linkdave Audio Streaming Server

#security #cve #cybersecurity #ghsa

GHSA-xv8g-fj9h-6gmv: Missing Authentication in Linkdave Audio Streaming Server

Vulnerability ID: GHSA-XV8G-FJ9H-6GMV
CVSS Score: 9.8
Published: 2026-03-10

Linkdave, a high-performance Lavalink rewrite in Go, suffers from a complete lack of authentication on its control plane prior to commit 0f9a00d. This critical vulnerability allows unauthenticated remote attackers to establish WebSocket connections, manipulate REST APIs, and hijack or terminate active audio streaming sessions.

TL;DR

Unauthenticated remote attackers can fully control Linkdave audio streaming sessions via exposed WebSocket and REST endpoints due to a lack of authentication mechanisms.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-306
  • Attack Vector: Network
  • Impact: Application Takeover / Denial of Service
  • Exploit Status: Proof of Concept
  • CVSS Score: 9.8
  • Authentication Required: None

Affected Systems

  • shi-gg/linkdave (Go Server)
  • linkdave (TypeScript Client)
  • shi-gg/linkdave (Go server): < commit 0f9a00d9d549b16278db81fce6dfec350c2abc01 (Fixed in: 0f9a00d9d549b16278db81fce6dfec350c2abc01)
  • linkdave (TypeScript Client): < 0.1.5 (Fixed in: 0.1.5)

Code Analysis

Commit: 0f9a00d

Introduced shared-secret authentication via LINKDAVE_PASSWORD for REST and WebSocket endpoints.

Mitigation Strategies

  • Update the Linkdave Go server to the patched commit.
  • Update the Linkdave TypeScript client to version 0.1.5 or newer.
  • Configure the LINKDAVE_PASSWORD environment variable with a strong secret.
  • Implement network access controls to restrict access to the control ports.
  • Deploy Linkdave behind a TLS-terminating reverse proxy.

Remediation Steps:

  1. Pull the latest source code containing commit 0f9a00d9d549b16278db81fce6dfec350c2abc01.
  2. Recompile and redeploy the Go server binary.
  3. Generate a secure, random string (e.g., using openssl rand -hex 32).
  4. Set the generated string as the LINKDAVE_PASSWORD environment variable in the server's execution environment.
  5. Update the bot application's package.json to require linkdave >= 0.1.5.
  6. Configure the bot application to pass the generated password in its Linkdave client configuration.
  7. Configure host firewalls (e.g., iptables, UFW) to drop external traffic to ports 8080 and 18080.

References

Read the full report for GHSA-XV8G-FJ9H-6GMV on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)