CVE-2025-67737

Name of the Vulnerable Software and Affected Versions AzuraCast versions 0.23.1

Description AzuraCast is a self-hosted, all-in-one web radio management suite. Version 0.23.1 mistakenly includes an API endpoint intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API. A user with knowledge of a station's operations can craft a custom HTTP request to affect the station's database. Exploitation requires a valid SFTP station username and knowledge of the internal filesystem structure. The vulnerable API endpoint is exposed through the public-facing HTTP API. The username and internal filesystem structure are required for a successful attack.

Recommendations Update to version 0.23.2 or later.