StreamVault Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the StreamVault application (SpiritApplication) prior to version 251126. The issue arises because the application allows administrators to configure yt-dlp arguments through the /admin/api/saveConfig endpoint without adequate validation. These arguments are globally stored and later used in YtDlpUtil.java to construct the command line for executing yt-dlp. An attacker with administrative access can inject malicious flags, which yt-dlp executes when processing video download requests via the /api/processingVideos endpoint.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server, with the same privileges as the application process. This could result in a complete system compromise, unauthorized data access, or a denial-of-service condition.

Reproduction

To reproduce this vulnerability, first obtain a valid administrative session or bypass authentication. Then, send a POST request to the /admin/api/saveConfig endpoint, including the ytdlpargs parameter with a malicious yt-dlp flag, such as --exec-before-download, which instructs yt-dlp to execute a shell command before downloading a video. After saving the configuration, trigger the video processing by sending a GET request to the /api/processingVideos endpoint with a valid YouTube URL. This will execute the injected command, confirming successful exploitation.

Remediation

Users are advised to update to StreamVault version 251126 or later.