CVE-2025-34101

Name of the Vulnerable Software and Affected Versions: Serviio Media Server versions 1.4 through 1.8

Description: An unauthenticated command injection exists in Serviio Media Server. The /rest/action API endpoint, exposed by the console component (default port 23423), is vulnerable. The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.

Recommendations: Serviio Media Server version 1.4: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Serviio Media Server version 1.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Serviio Media Server version 1.6: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Serviio Media Server version 1.7: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Serviio Media Server version 1.8: At the moment, there is no information about a newer version that contains a fix for this vulnerability.