Submit #652356: GitHub Airsonic-Advanced 10.6.0 OS Command Injection
| Title | GitHub Airsonic-Advanced 10.6.0 OS Command Injection |
|---|---|
| Description | Airsonic Advanced allows an authenticated user to exploit the 'Upload playlist' feature to write attacker-controlled files outside the intended storage directory by abusing the 'Upload to' input. By supplying a path traversal value such as ../webapps, an attacker can upload a .war file into Tomcat's webapps directory. Tomcat will auto-deploy the archive, which yields arbitrary code execution under the application server account. This results in full compromise of the application and potentially the host. This issue combines insufficient server-side validation of the target path with a lack of file type restrictions for the playlist upload. When Tomcat auto-deploy is enabled, the impact escalates to RCE. A search on Shodan reveals a large number of vulnerable hosts accessible without authentication. <2025-08-05> Initial discovery <2025-08-06> Attempted to contact vendor on GitHub and IRC (https://github.com/airsonic-advanced/airsonic-advanced/issues/1030) <2025-09-06> Public disclosure |
| Source | ⚠️ https:/ |
| User | mikecole-mg (UID 89343) |
| Submission | 09/11/2025 02:03 (9 months ago) |
| Moderation | 09/18/2025 07:35 (7 days later) |
| Status | Accepted |
| VulDB entry | 324790 [Airsonic-Advanced up to 10.6.0 Playlist Upload unrestricted upload] |
| Points | 20 |