StreamVault Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability allowing remote code execution has been identified in StreamVault, a multi-platform video parsing and downloading tool. This issue affects all versions prior to 250822. After logging into the StreamVault system, an attacker can modify certain system parameters, such as cookies for various video platforms, and construct malicious commands that are executed on the server. The vulnerability arises because user-provided data is passed to the command execution process without proper sanitization, allowing for arbitrary commands to be executed with server privileges.

Impact

Exploitation of this vulnerability allows for remote command execution on the affected server, with the executed commands running in the context of the server's user privileges.

Reproduction

To reproduce this vulnerability, log into the StreamVault system and navigate to the configuration module for Douyin or Kuaishou. Once there, inject a malicious command into the cookie field by concatenating it with a command payload, such as a command to create a file in the /tmp directory. After injecting the command, trigger the invocation interface that processes the cookie. Wait for a minute or two, and the injected command will be executed on the server.

Remediation

Users should update to StreamVault version 250822 or later, and change any weak passwords. Additionally, review and strengthen password policies to prevent unauthorized access.