📄 Description (English)
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.
🤖 AI Executive Summary
AzuraCast versions prior to 0.23.6 contain a critical HTTP header injection vulnerability in the ApplyXForwarded middleware that allows unauthenticated attackers to perform account takeover. By poisoning the X-Forwarded-Host header during password reset requests, attackers can redirect password reset tokens to attacker-controlled servers, enabling full account compromise including 2FA bypass. This vulnerability is actively exploitable and affects all self-hosted AzuraCast deployments without proper proxy configuration.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 15, 2026 00:37
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations operating self-hosted AzuraCast instances for radio broadcasting, media management, or internal communications are at significant risk. This vulnerability particularly impacts: (1) Saudi media and broadcasting companies using AzuraCast for station management, (2) Government entities and public institutions managing internal radio communications, (3) Educational institutions operating campus radio stations, (4) Telecom operators (STC, Mobily, Zain) managing broadcast infrastructure. The account takeover capability enables attackers to compromise administrative accounts, modify broadcast content, exfiltrate sensitive data, and disrupt radio operations. Organizations without proper reverse proxy configuration are immediately vulnerable.
🏢 Affected Saudi Sectors
Media and Broadcasting
Government and Public Administration
Education
Telecommunications
Healthcare (if using for internal communications)
Energy and Utilities
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all AzuraCast instances in your environment and verify their version numbers
2. Implement network-level controls to restrict X-Forwarded-Host header acceptance from untrusted sources
3. Disable password reset functionality temporarily if patching cannot be completed within 24 hours
4. Review access logs for suspicious X-Forwarded-Host header values and password reset requests from unusual IP addresses
PATCHING:
1. Upgrade AzuraCast to version 0.23.6 or later immediately
2. Follow official upgrade documentation at https://docs.azuracast.com/en/getting-started/updates
3. Test password reset functionality after patching
4. Verify 2FA settings remain intact post-upgrade
COMPENSATING CONTROLS (if immediate patching not possible):
1. Configure reverse proxy (nginx/Apache) to validate and whitelist X-Forwarded-Host headers
2. Implement WAF rules to block requests with suspicious X-Forwarded-Host values
3. Enable request logging and alerting for X-Forwarded-Host header anomalies
4. Enforce strong password policies and mandatory 2FA for all administrative accounts
5. Implement email verification for password reset requests with user confirmation
DETECTION RULES:
1. Alert on password reset requests with X-Forwarded-Host headers pointing to external domains
2. Monitor for multiple failed password reset attempts from single IP address
3. Track successful password resets followed by 2FA configuration changes
4. Log all requests containing X-Forwarded-Host headers not matching expected domain patterns
5. Implement SIEM rules: (X-Forwarded-Host != expected_domain) AND (password_reset_triggered OR token_generated)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نوى AzuraCast في بيئتك وتحقق من أرقام إصداراتها
2. طبق عناصر تحكم على مستوى الشبكة لتقييد قبول رأس X-Forwarded-Host من المصادر غير الموثوقة
3. عطل وظيفة إعادة تعيين كلمة المرور مؤقتاً إذا لم يتمكن من إكمال التصحيح في غضون 24 ساعة
4. راجع سجلات الوصول للقيم المريبة في رأس X-Forwarded-Host وطلبات إعادة تعيين كلمة المرور من عناوين IP غير المعتادة
التصحيح:
1. قم بترقية AzuraCast إلى الإصدار 0.23.6 أو أحدث على الفور
2. اتبع التوثيق الرسمي للترقية على https://docs.azuracast.com/en/getting-started/updates
3. اختبر وظيفة إعادة تعيين كلمة المرور بعد التصحيح
4. تحقق من بقاء إعدادات المصادقة الثنائية سليمة بعد الترقية
عناصر التحكم البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. قم بتكوين وكيل عكسي (nginx/Apache) للتحقق من صحة وإدراج رؤوس X-Forwarded-Host في القائمة البيضاء
2. طبق قواعد WAF لحظر الطلبات برؤوس X-Forwarded-Host المريبة
3. فعّل تسجيل الطلبات والتنبيهات لشذوذ رأس X-Forwarded-Host
4. فرض سياسات كلمات مرور قوية والمصادقة الثنائية الإلزامية لجميع الحسابات الإدارية
5. طبق التحقق من البريد الإلكتروني لطلبات إعادة تعيين كلمة المرور مع تأكيد المستخدم
قواعد الكشف:
1. تنبيه على طلبات إعادة تعيين كلمة المرور برؤوس X-Forwarded-Host تشير إلى نطاقات خارجية
2. مراقبة محاولات إعادة تعيين كلمة المرور الفاشلة المتعددة من عنوان IP واحد
3. تتبع إعادة تعيين كلمة المرور الناجحة متبوعة بتغييرات تكوين المصادقة الثنائية
4. سجل جميع الطلبات التي تحتوي على رؤوس X-Forwarded-Host غير المطابقة لأنماط النطاق المتوقعة
5. طبق قواعد SIEM: (X-Forwarded-Host != expected_domain) AND (password_reset_triggered OR token_generated)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Access Control and Authentication
5.2.1 - User Identity Management
5.3.1 - Password Management
6.1.1 - Incident Detection and Response
7.1.1 - Security Monitoring and Logging
🔵 SAMA CSF
ID.AM-1 - Asset Management
PR.AC-1 - Access Control
PR.AC-6 - Identity and Access Management
DE.AE-1 - Anomalies and Events Detection
DE.CM-1 - Audit Logging
🟡 ISO 27001:2022
A.5.2.1 - User Registration and De-registration
A.5.2.2 - User Access Provisioning
A.5.2.3 - Access Rights Review
A.5.3.1 - Password Management
A.8.2.1 - User Endpoint Devices
A.8.3.1 - Information Access Restriction
A.12.4.1 - Event Logging
🔗 References & Sources 4
🔗
https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85
security-advisories@github.com
Patch
🔗
https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6
security-advisories@github.com
Product
🔗
https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
🔗
https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
📦 Affected Products / CPE 1 entries
azuracast:azuracast