IINA Command Execution Vulnerability via Custom URL Scheme

A command execution vulnerability has been identified in IINA versions prior to 1.4.3 for macOS. This vulnerability allows remote attackers to execute arbitrary commands by sending malicious query parameters prefixed with 'mpv_' through the 'iina://open' URL scheme. The application forwards these unvalidated parameters into the mpv runtime, enabling command execution as the current macOS user, after the user approves a browser prompt. Notably, this vulnerability does not require a valid media file.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system, as the current macOS user, following user approval of the 'iina://' URL prompt.

Reproduction

To reproduce this vulnerability, send a crafted 'iina://open' URL that includes malicious 'mpv_options/input-commands' query parameters. When the URL is opened, IINA will execute the specified commands via mpv, as confirmed by the mpv log. This vulnerability can also be tested locally by using the 'open' command in the macOS terminal, but this bypasses the necessary browser prompt.

Remediation

Users can update to IINA version 1.4.3, which addresses this vulnerability by rejecting 'mpv_' query parameters that could be used for command execution.