Impact
A flaw in gonic’s playlist creation handler allows any authenticated Subsonic user to write M3U playlist data to an absolute file path on the host system. The logic error bypasses an intended guard (CWE‑697) and the subsequent write routine accepts the supplied path without containment checks (CWE‑22), while also creating intermediate directories with 0777 permissions (CWE‑732). This makes it possible to overwrite system files, drop malicious scripts, or otherwise place code that can be executed by the operating system, effectively allowing an attacker to gain elevated control over the host.
Affected Systems
All installations of sentriz:gonic running a version earlier than 0.21.0 are vulnerable. Versions 0.21.0 and later contain the patch that fixed the playlist handling logic.
Risk and Exploitability
The CVSS score of 8.1 classifies this issue as high severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalogue. The attack vector is straightforward: an authenticated API user can trigger the write by creating or updating a playlist. Because the Subsonic API by design grants normal users access to playlist endpoints, exploitation does not require elevated privileges or special network conditions. Once the file write succeeds, the attacker can further exploit the host, potentially achieving remote code execution or privilege escalation.
OpenCVE Enrichment
Github GHSA