CVE-2025-66203
📋 TL;DR
StreamVault versions before 251126 contain a remote code execution vulnerability that allows attackers to execute arbitrary commands on the server. Administrators can configure yt-dlp arguments via the /admin/api/saveConfig endpoint without proper validation, which are then used when constructing command lines. This affects all StreamVault deployments using vulnerable versions.
💻 Affected Systems
- StreamVault
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with application privileges, potentially leading to data theft, lateral movement, or complete server takeover.
Likely Case
Attackers gain shell access to the server, enabling them to steal sensitive data, install malware, or use the server as a pivot point for further attacks.
If Mitigated
With proper network segmentation and least privilege, impact is limited to the application server and its accessible resources.
🎯 Exploit Status
Exploitation requires administrative credentials but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 251126
Vendor Advisory: https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6m
Restart Required: Yes
Instructions:
1. Download version 251126 or later from GitHub releases. 2. Stop the StreamVault service. 3. Replace the application files with the patched version. 4. Restart the StreamVault service.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit access to the /admin/api/saveConfig endpoint to trusted IP addresses only.
# Configure firewall rules to restrict access to admin endpoints
# Example for Linux iptables: iptables -A INPUT -p tcp --dport [APP_PORT] -s [TRUSTED_IP] -j ACCEPT
# Example for Windows Firewall: New-NetFirewallRule -DisplayName "Restrict StreamVault Admin" -Direction Inbound -Protocol TCP -LocalPort [APP_PORT] -RemoteAddress [TRUSTED_IP] -Action Allow
Input Validation Filter
allImplement a web application firewall or proxy to filter malicious input to the saveConfig endpoint.
# Configure WAF rules to block command injection patterns
# Example ModSecurity rule: SecRule ARGS "[\|;&`$()]" "id:1001,phase:2,deny"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate StreamVault from critical systems.
- Enforce multi-factor authentication for all administrative accounts and monitor admin access logs.
🔍 How to Verify
Check if Vulnerable:
Check if the application version is below 251126 by examining the version file or application metadata.Check Version:
grep -r "version" /path/to/streamvault/ | head -5Verify Fix Applied:
Confirm the application version is 251126 or higher and test that command injection attempts via the saveConfig endpoint are properly rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual administrative login attempts
- Requests to /admin/api/saveConfig with suspicious parameters containing shell metacharacters
- Unexpected process execution from the StreamVault application
Network Indicators:
- Outbound connections from StreamVault server to unexpected destinations
- Unusual command and control traffic patterns
SIEM Query:
source="streamvault.log" AND (uri="/admin/api/saveConfig" AND (param="*[|;&`$()]*" OR param="*--exec*"))