CVE-2020-37170 in TapinRadio
Summary
by MITRE • 02/07/2026
TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy address configuration that allows local attackers to crash the application. Attackers can overwrite the address field with 3000 bytes of arbitrary data to trigger an application crash and prevent normal program functionality.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/19/2026
The vulnerability identified as CVE-2020-37170 affects TapinRadio version 2.12.3 and represents a denial of service condition stemming from improper input validation within the application's proxy address configuration functionality. This weakness allows local attackers to exploit a buffer handling flaw that occurs when the application processes user-supplied data in the proxy address field. The vulnerability manifests when an attacker supplies 3000 bytes of arbitrary data to overwrite the address field, causing the application to crash and become unresponsive. This type of vulnerability falls under the category of buffer overflow conditions that can be classified as CWE-121, which deals with stack-based buffer overflow conditions, or CWE-787, which addresses out-of-bounds write conditions. The attack vector is local, meaning that an attacker must already have access to the system to exploit this vulnerability, but the impact can be significant as it completely disrupts the application's functionality and prevents normal program operation.
The technical implementation of this vulnerability demonstrates a classic case of insufficient bounds checking in input validation routines. When the TapinRadio application processes the proxy address configuration, it fails to properly validate the length of data entered into the address field, allowing an attacker to provide excessive input that overflows the allocated buffer space. This overflow condition typically occurs in memory management where the application allocates a fixed-size buffer for storing proxy address information but does not verify that incoming data exceeds the allocated boundaries. The specific trigger of 3000 bytes suggests that the application's internal buffer allocation is insufficient to handle such input, leading to memory corruption that ultimately causes the application to terminate abnormally. The vulnerability aligns with ATT&CK technique T1499.004, which covers network denial of service attacks, though in this case the attack is executed locally rather than over a network.
The operational impact of this vulnerability extends beyond simple application instability as it can severely disrupt user productivity and system availability for anyone running the affected version of TapinRadio. Local attackers who can access the system may exploit this weakness to repeatedly crash the application, forcing users to restart the program manually and potentially lose unsaved configuration data. The vulnerability affects the application's proxy functionality specifically, which means that users who rely on proxy configurations for internet connectivity may find their network access disrupted until the application is restarted or the configuration is manually corrected. This type of denial of service can be particularly problematic for users who depend on TapinRadio for regular audio streaming or podcast listening, as it completely prevents them from accessing the application's core features. The vulnerability's local attack requirement limits its scope compared to remote exploitation vectors, but it still represents a significant security concern for systems where local access is possible. Organizations should consider this vulnerability in their risk assessment frameworks, particularly in environments where multiple users have local access to systems running vulnerable versions of the software. The issue also highlights the importance of proper input validation and bounds checking in application development practices, as similar vulnerabilities could potentially exist in other components of the application or in similar software products.