Owncast vulnerable to arbitrary file deletion in emoji.go (GHSL-2023-277)
Description
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. The Owncast application exposes an administrator API at the URL /api/admin. The emoji/delete endpoint of said API allows administrators to delete custom emojis, which are saved on disk. The parameter name is taken from the JSON request and directly appended to the filepath that points to the emoji to delete. By using path traversal sequences (../), attackers with administrative privileges can exploit this endpoint to delete arbitrary files on the system, outside of the emoji directory. This vulnerability is fixed in 0.1.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/owncast/owncastGo | < 0.1.3 | 0.1.3 |
Affected products
2Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-9355-27m8-h74vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-31450ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2023-277_OwncastghsaADVISORY
- github.com/owncast/owncast/blob/v0.1.2/controllers/admin/emoji.goghsax_refsource_MISCWEB
- github.com/owncast/owncast/commit/1b14800c7d7f54be14ed4d130bfe7f480645076eghsax_refsource_MISCWEB
- github.com/owncast/owncast/releases/tag/v0.1.3ghsax_refsource_MISCWEB
- securitylab.github.com/advisories/GHSL-2023-277_Owncast/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.