Impact
This vulnerability exists in the rclone command‑line utility, specifically within the rcd daemon when it is started with the --rc-serve flag. From release 1.46.0 up to 1.74.3, the daemon accepts unauthenticated HTTP GET or HEAD requests to paths like /[remote:path]/object. The remote part is parsed as an inline remote configuration and is passed directly to the backend initialization code. An attacker can embed backend options that execute local shell commands during this initialization, so a single unauthenticated HTTP request can trigger arbitrary command execution as the user running the rclone process.
Affected Systems
Affected systems are installations of the rclone tool with versions ranging from 1.46.0 to 1.74.3 inclusive. The vendor is rclone. Any deployment that runs the rcd service exposed to a network and does not restrict the backend configuration mechanism is vulnerable. The vulnerability is mitigated by the fix shipped in version 1.74.3.
Risk and Exploitability
The vulnerability carries a CVSS score of 9.8, indicating critical severity, and is not listed in the CISA KEV catalog. The EPSS score is 0.00495 (<1%), and combined with a high CVSS any authentication requirement, and the potential for local command execution results in a high risk of exploitation. The attack can be carried out by any entity that can reach the rcd service over its HTTP interface, which by default listens on port 5572 if not otherwise bound. Therefore, network attackers within the same host or external networks that can reach the service may trigger the flaw.
OpenCVE Enrichment
Github GHSA