Code injection in iTunesRPC-Remastered

Vulnerability

The vulnerability is improper input sanitization in the get function of server.py in iTunesRPC-Remastered, a Discord rich presence application for iTunes and Apple Music. The code uses eval(str(status)) on cached data obtained from an API, where user-controlled fields such as title, singer, and album are not properly escaped before being stored and later evaluated [1][2]. All versions before commit 24f43aa are affected; commits 7f9dd66, b39ad02, 96cc9f2, 4d0f88b, c29b3c8, 953fd83, 355a474, and 54b02d9 are vulnerable [3].

Exploitation

An attacker needs to be able to inject malicious content into the cached image metadata (e.g., by uploading an image with a crafted title, singer, or album value). The application does not sanitize or escape these inputs, allowing the injection of arbitrary Python code. When the server processes a subsequent request that retrieves the cached data, it calls eval(str(status)), executing the injected payload [1][2]. No authentication is required if the API endpoint is exposed; the attacker only needs to send a crafted POST request with the malicious metadata.

Impact

Successful exploitation results in code injection, allowing the attacker to execute arbitrary Python code on the server. This can lead to full compromise of the system, including data theft, server control, or further lateral movement [3].

Mitigation

The issue is fixed in commit 24f43aa, which replaces eval with ast.literal_eval for safe parsing and adds HTML escaping for output [1][2]. Users should upgrade to commit 24f43aa or later [3]. No official release is affected; as of the advisory date, no release has been published. For users who cannot upgrade, manually adding input validation and output escaping in the server and client code is recommended [3]. The repository was archived and is read-only as of December 2022; users relying on this project should consider alternatives.