GHSA-XV8G-FJ9H-6GMV

Vulnerability from github – Published: 2026-03-10 01:18 – Updated: 2026-03-10 19:27
VLAI
Summary
Linkdave Missing Authentication on REST and WebSocket endpoints
Details

The linkdave server does not enforce authentication on its REST and WebSocket routes in versions prior to 0.1.5.

Impact

An attacker with network access to the server port can: - Connect to the WebSocket endpoint (/ws) and receive a valid session_id in the OpReady response. - Use that session to invoke all REST player controls on any guild corresponding to their session id[1]. - Enumerate server statistics and runtime information via the unauthenticated /stats endpoint (still public after the fix).

[1] If on >=0.1.0, attackers are restricted to creating, controlling and deleting players created within their own session ID.

Vulnerable Routes

The following routes were entirely unauthenticated in >= 0.0.1, < 0.1.5:

Method Path Description
POST /sessions/{session_id}/players/{guild_id}/play Start audio playback
POST /sessions/{session_id}/players/{guild_id}/pause Pause playback
POST /sessions/{session_id}/players/{guild_id}/resume Resume playback
POST /sessions/{session_id}/players/{guild_id}/stop Stop playback
POST /sessions/{session_id}/players/{guild_id}/seek Seek to position
PATCH /sessions/{session_id}/players/{guild_id}/volume Set volume
DELETE /sessions/{session_id}/players/{guild_id} Disconnect from voice channel
GET /ws WebSocket event stream

Patches

Update to 0.1.5.

- image: ghcr.io/shi-gg/linkdave:0.1.4
+ image: ghcr.io/shi-gg/linkdave:latest

or

docker pull ghcr.io/shi-gg/linkdave:latest

After upgrading, set the LINKDAVE_PASSWORD environment variable to a strong secret value. If this variable is left unset, the server will still accept all connections without authentication even on >= 0.1.5.

Server configuration (e.g. compose.yml):

environment:
    LINKDAVE_PASSWORD: ${LINKDAVE_PASSWORD}
echo "LINKDAVE_PASSWORD=$(openssl rand -hex 16)" >> .env

To restart the stack, run

docker compose up -d

TypeScript client (0.1.5+):

The client automatically handles authentication. Pass the password when constructing the client:

const linkdave = new LinkDaveClient({
    nodes: [
        {
            name: "main",
            url: process.env.LINKDAVE_URI,
            password: process.env.LINKDAVE_PASSWORD
        }
    ]
});

Workarounds

If upgrading is not immediately possible, restrict network access to the server's port using a firewall so it is only accessible from trusted internal IP addresses.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/shi-gg/linkdave"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T01:18:20Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "The `linkdave` server does not enforce authentication on its REST and WebSocket routes in versions prior to `0.1.5`.\n\n### Impact\n\nAn attacker with network access to the server port can:\n- Connect to the WebSocket endpoint (`/ws`) and receive a valid `session_id` in the `OpReady` response.\n- Use that session to invoke all REST player controls on any guild corresponding to their session id[1].\n- Enumerate server statistics and runtime information via the unauthenticated `/stats` endpoint (still public after the fix).\n\n[1] If on [`\u003e=0.1.0`](https://github.com/shi-gg/linkdave/releases/tag/v0.1.0), attackers are restricted to creating, controlling and deleting players created within their own session ID.\n\n### Vulnerable Routes\n\nThe following routes were entirely unauthenticated in `\u003e= 0.0.1, \u003c 0.1.5`:\n\n| Method | Path | Description |\n|--------|------|-------------|\n| `POST` | `/sessions/{session_id}/players/{guild_id}/play` | Start audio playback |\n| `POST` | `/sessions/{session_id}/players/{guild_id}/pause` | Pause playback |\n| `POST` | `/sessions/{session_id}/players/{guild_id}/resume` | Resume playback |\n| `POST` | `/sessions/{session_id}/players/{guild_id}/stop` | Stop playback |\n| `POST` | `/sessions/{session_id}/players/{guild_id}/seek` | Seek to position |\n| `PATCH` | `/sessions/{session_id}/players/{guild_id}/volume` | Set volume |\n| `DELETE` | `/sessions/{session_id}/players/{guild_id}` | Disconnect from voice channel |\n| `GET` | `/ws` | WebSocket event stream |\n\n### Patches\n\nUpdate to [`0.1.5`](https://github.com/shi-gg/linkdave/commit/0f9a00d9d549b16278db81fce6dfec350c2abc01).\n\n```diff\n- image: ghcr.io/shi-gg/linkdave:0.1.4\n+ image: ghcr.io/shi-gg/linkdave:latest\n```\nor\n```sh\ndocker pull ghcr.io/shi-gg/linkdave:latest\n```\n\nAfter upgrading, set the `LINKDAVE_PASSWORD` environment variable to a strong secret value. If this variable is left unset, the server will still accept all connections without authentication even on `\u003e= 0.1.5`.\n\n**Server configuration (e.g. `compose.yml`):**\n```sh\nenvironment:\n    LINKDAVE_PASSWORD: ${LINKDAVE_PASSWORD}\n```\n```sh\necho \"LINKDAVE_PASSWORD=$(openssl rand -hex 16)\" \u003e\u003e .env\n```\n\nTo restart the stack, run\n```sh\ndocker compose up -d\n```\n\n**TypeScript client (`0.1.5+`):**\n\nThe client automatically handles authentication. Pass the password when constructing the client:\n```ts\nconst linkdave = new LinkDaveClient({\n    nodes: [\n        {\n            name: \"main\",\n            url: process.env.LINKDAVE_URI,\n            password: process.env.LINKDAVE_PASSWORD\n        }\n    ]\n});\n```\n\n### Workarounds\n\nIf upgrading is not immediately possible, restrict network access to the server\u0027s port using a firewall so it is only accessible from trusted internal IP addresses.",
  "id": "GHSA-xv8g-fj9h-6gmv",
  "modified": "2026-03-10T19:27:55Z",
  "published": "2026-03-10T01:18:20Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shi-gg/linkdave/security/advisories/GHSA-xv8g-fj9h-6gmv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/shi-gg/linkdave/commit/0f9a00d9d549b16278db81fce6dfec350c2abc01"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shi-gg/linkdave"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Linkdave Missing Authentication on REST and WebSocket endpoints"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…