Skip to main content

Whisperx Fastapi EUVDEUVD-2026-19362

| CVE-2026-34981 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-06 GitHub_M
5.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.6.0
EUVD ID Assigned
Apr 06, 2026 - 16:45 euvd
EUVD-2026-19362
Analysis Generated
Apr 06, 2026 - 16:45 vuln.today
CVE Published
Apr 06, 2026 - 16:19 nvd
MEDIUM 5.8

DescriptionGitHub Advisory

The whisperX API is a tool for enhancing and analyzing audio content. From 0.3.1 to 0.5.0, FileService.download_from_url() in app/services/file_service.py calls requests.get(url) with zero URL validation. The file extension check occurs AFTER the HTTP request is already made, and can be bypassed by appending .mp3 to any internal URL. The /speech-to-text-url endpoint is unauthenticated. This vulnerability is fixed in 0.6.0.

AnalysisAI

Server-side request forgery (SSRF) in whisperX-FastAPI versions 0.3.1 through 0.5.0 allows unauthenticated remote attackers to make arbitrary HTTP requests to internal URLs by exploiting inadequate URL validation in the FileService.download_from_url() function. An attacker can bypass the post-request file extension check by appending .mp3 to any URL supplied to the /speech-to-text-url endpoint, enabling reconnaissance of internal services and potential information disclosure. The vulnerability carries moderate severity (CVSS 5.8) with confirmed patch availability in version 0.6.0.

Technical ContextAI

The vulnerability stems from a Server-Side Request Forgery (CWE-918) flaw in the file download mechanism. The FileService.download_from_url() function in app/services/file_service.py performs no URL validation before calling requests.get(url), allowing the HTTP request to be executed against any attacker-supplied URL-including internal addresses (127.0.0.1, private IP ranges, cloud metadata endpoints). The file extension validation occurs only after the request completes, making it ineffective as a security control. An attacker can circumvent the extension check by appending .mp3 to the malicious URL (e.g., http://169.254.169.254/?secret=data.mp3), allowing the request to proceed while the response body is processed. The /speech-to-text-url endpoint lacks authentication (PR:N per CVSS vector), exposing the SSRF to any network-accessible client. This design flaw affects whisperX-FastAPI CPE cpe:2.3:a:pavelzbornik:whisperx-fastapi:*:*:*:*:*:*:*:*, specifically versions 0.3.1 through 0.5.0.

RemediationAI

Vendor-released patch: upgrade to whisperX-FastAPI version 0.6.0 or later, which addresses the URL validation flaw. The fix commit is available at https://github.com/pavelzbornik/whisperX-FastAPI/commit/ef78fe2001deede5354031e4200d41c6a7e8cbfc. If immediate upgrade is not feasible, implement network-level controls to restrict outbound requests from the whisperX-FastAPI service to approved internal and external destinations using firewall rules or egress proxies. Additionally, require authentication on the /speech-to-text-url endpoint at the application or reverse proxy level to limit exposure to trusted callers. Validate and whitelist all URLs supplied to the download function before the HTTP request is initiated, rather than relying on post-request file extension checks.

Share

EUVD-2026-19362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy