CVE-2024-29192 in go2rtc
Summary
by MITRE • 04/04/2024
gotortc is a camera streaming application. Versions 1.8.5 and prior are vulnerable to Cross-Site Request Forgery. The `/api/config` endpoint allows one to modify the existing configuration with user-supplied values. While the API is only allowing localhost to interact without authentication, an attacker may be able to achieve that depending on how go2rtc is set up on the upstream application, and given that this endpoint is not protected against CSRF, it allows requests from any origin (e.g. a "drive-by" attack) . The `exec` handler allows for any stream to execute arbitrary commands. An attacker may add a custom stream through `api/config`, which may lead to arbitrary command execution. In the event of a victim visiting the server in question, their browser will execute the requests against the go2rtc instance. Commit 8793c3636493c5efdda08f3b5ed5c6e1ea594fd9 adds a warning about secure API access.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/02/2025
The vulnerability described in CVE-2024-29192 affects go2rtc, a camera streaming application that has been identified as susceptible to cross-site request forgery attacks. This issue specifically impacts versions 1.8.5 and earlier, creating a significant security risk for users who have not updated to the latest release. The core problem lies within the `/api/config` endpoint which permits configuration modifications using user-supplied values, fundamentally undermining the application's security posture by allowing unauthorized changes to system settings.
The technical flaw manifests through the lack of proper authentication mechanisms and CSRF protection on the API endpoint that handles configuration changes. While the system does attempt to restrict access to localhost without authentication, this protection mechanism can be bypassed depending on how go2rtc is configured within upstream applications. The vulnerability creates a dangerous scenario where attackers can exploit the absence of CSRF safeguards to make requests from any origin, effectively enabling drive-by attacks that can be executed simply through victim browser visits. This architectural weakness allows malicious actors to craft attacks that leverage the victim's authenticated session with the go2rtc instance, making the attack surface particularly dangerous.
The operational impact of this vulnerability extends far beyond simple configuration changes, as the `exec` handler within go2rtc enables arbitrary command execution capabilities. When combined with the CSRF vulnerability, an attacker can add custom streams through the vulnerable `api/config` endpoint, which then provides a pathway for executing malicious commands on the underlying system. This represents a critical escalation from a simple CSRF attack to a full system compromise, potentially allowing attackers to gain complete control over the camera streaming server. The implications are severe for any organization relying on go2rtc for security camera feeds, as unauthorized access could lead to complete system takeover and data breaches.
The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery, and demonstrates how insufficient protection mechanisms can lead to catastrophic security consequences. From an ATT&CK perspective, this vulnerability maps to T1059.007 for command and scripting interpreter, and T1566 for credential access through social engineering. Organizations should immediately implement mitigations including updating to the fixed version, implementing proper CSRF token validation, restricting API access through network segmentation, and ensuring that all API endpoints are properly authenticated and authorized. The commit referenced in the advisory (8793c3636493c5efdda08f3b5ed5c6e1ea594fd9) specifically addresses this issue by adding warnings about secure API access, highlighting the importance of proper security configuration in preventing such vulnerabilities from being exploited in real-world scenarios.