The audit reveals that the Sonicverse dashboard’s API client accepts user‑controlled URLs and forwards them directly to a server‑side HTTP client without validation, creating a Server‑Side Request Forgery flaw. An attacker who can authenticate as a dashboard operator can instruct the backend to send arbitrary HTTP or HTTPS requests to any internal or external host, potentially leaking sensitive data, exfiltrating files, or enabling pivoting within the network. This can compromise confidentiality, integrity, and availability of internal services that the compromised dashboard can reach.

The vulnerability affects the Sonicverse Self‑Hosted Docker Compose radio streaming stack (sonicverse-eu:audiostreaming-stack). All installations created with the default install.sh script—including the one‑liner bash <(curl -fsSL https://sonicverse.short.gy/install-audiostack)—are vulnerable. No specific version numbers are provided, so any deployment built from the released source prior to the commit that fixes the issue is susceptible.

The CVSS v3 score of 9.9 indicates a critical severity with high exploitation weights. Although the EPSS score is unavailable, the lack of presence in the CISA KEV catalog suggests no publicly documented exploit yet. The flaw requires the attacker to have authenticated driver of the dashboard, implying manual over-the-wire actions rather than remote code execution via unauthenticated access. Nevertheless, once authenticated, the attacker can exfiltrate data or leverage the stack to reach other internal endpoints, making the risk significant for exposed or poorly secured deployments.