Listen to this Post
The vulnerability exists in TinyIce’s WebRTC source-ingest HTTP endpoint, POST /webrtc/source-offer?mount=WebRTCManager.HandleSourceOffer, accepting any audio/video tracks (Opus/H.264) from the peer. Unlike other ingest paths (HTTP/1 with Icecast SOURCE/PUT, RTMP, SRT) that require a per-mount source password or default_source_password, this WebRTC endpoint has no credential validation. The attacker can identify a target mount name from public directory listings or player URLs. After negotiating a WebRTC peer connection, the attacker publishes arbitrary content to that mount. The server broadcasts this injected stream to every listener, effectively hijacking the radio station. The legitimate publisher can reconnect and temporarily take over because TinyIce’s source-takeover handshake gives priority to new offers (with a 3-second drain of the old pump goroutine). However, the attacker can immediately reconnect, leading to sustained hijacking until manual intervention (firewall block, password rotation, or restart). The endpoint returns a 400 Bad Request with SDP parsing errors when exploited, but never asks for credentials. The fix (commit 8067d6b, v2.5.0) now requires HTTP Basic auth or a `?password=` query parameter, compares the password using bcrypt, and integrates the brute-force IP rate-limiter.
dailycve form:
Platform: TinyIce
Version: v0.8.95-v2.4.1
Vulnerability: Missing WebRTC auth
Severity: Critical
date: 2026-05-09
Prediction: 2026-05-09 (released)
What Undercode Say:
Detection command (malformed offer)
curl -i -X POST 'http://target/webrtc/source-offer?mount=/live' \
-H 'Content-Type: application/json' \
-d '{"type":"offer","sdp":"v=0\r\n"}'
Expected vulnerable response: 400 Bad Request with SDP error
Patched response: 401 Unauthorized
Check logs on patched server
grep "Authentication failed for user 'webrtc-source'" /var/log/tinyice.log
Block endpoint via reverse proxy (nginx example)
location /webrtc/source-offer { deny all; }
how Exploit:
- Discover mount name (e.g., `/live` from directory listing).
- Send POST to `/webrtc/source-offer?mount=/live` with valid WebRTC SDP offer (any audio/video tracks).
3. Establish peer connection; server accepts without password.
4. Broadcast arbitrary Opus/H.264 stream to all listeners.
Protection from this CVE
- Upgrade to TinyIce v2.5.0 or later.
- Block `POST /webrtc/source-offer` at reverse proxy.
- Restrict HTTP port to trusted network (VPN/internal LAN).
- Rotate source passwords after patching.
Impact:
Attacker replaces live broadcast with malicious audio/video; listeners hear hijacked content. No confidentiality breach, but high integrity impact (broadcast takeover). Sustained hijack possible until operator intervention.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

