Mpd
Monthly
CRLF injection in Music Player Daemon (MPD) before version 0.24.11 enables network-accessible, unauthenticated attackers to embed raw CR/LF bytes into URI fields parsed from malicious XSPF playlists, injecting forged key-value lines into MPD text protocol responses - including playlistinfo, currentsong, and listplaylist outputs - as well as the persistent state file. The root mechanism is Expat's decoding of XML numeric character references (e.g., ) before invoking the character data callback in xspf_char_data, bypassing any empty-string checks that previously served as the only guard. No public exploit code or CISA KEV listing exists at time of analysis, but the no-authentication network vector means any MPD instance that processes externally supplied playlists is exposed; the fix also extended to ASX, PLS, and RSS playlist plugins, indicating the affected surface was broader than the CVE title implies.
Server-side request forgery in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to bypass HTTP/HTTPS scheme restrictions by exploiting the CurlInputPlugin's failure to set CURLOPT_REDIR_PROTOCOLS_STR alongside CURLOPT_FOLLOWLOCATION in libcurl. An attacker who can submit URLs to MPD via commands such as add, readcomments, albumart, readpicture, or load can cause MPD to follow redirects to non-HTTP protocols including gopher, ftp, sftp, ldap, dict, rtmp, and rtsp - enabling interaction with internal or restricted network services. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the CVSS 4.0 score of 6.9 with a fully unauthenticated network attack vector warrants prompt patching on any externally accessible MPD deployment.
Information disclosure in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to read arbitrary directories and image files outside the configured music_directory via path traversal in the local storage plugin. The flaw, reported by VulnCheck, is exploitable through the standard MPD protocol commands listfiles and albumart, and a vendor patch is available in 0.24.11. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-based exploitation against any default-configured MPD instance reachable on its protocol port.
Stack buffer overflow in Music Player Daemon (MPD) versions prior to 0.24.11 allows remote unauthenticated attackers to crash the daemon or potentially execute code by serving a malicious HTTP audio stream processed by the PCM decoder plugin. The flaw stems from an off-by-one miscalculation in pcm_unpack_24be (src/pcm/Pack.cxx) that writes four bytes (three attacker-controlled) past a 1365-entry int32_t stack array. No public exploit identified at time of analysis, but the upstream fix is confirmed via commit 5991102 and release 0.24.11.
The PPP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted PPP authentication message to cause the daemon to read beyond allocated memory buffer, which would. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The L2TP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted L2TP control packet with AVP Q.931 Cause Code to execute arbitrary code or cause a denial of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
CRLF injection in Music Player Daemon (MPD) before version 0.24.11 enables network-accessible, unauthenticated attackers to embed raw CR/LF bytes into URI fields parsed from malicious XSPF playlists, injecting forged key-value lines into MPD text protocol responses - including playlistinfo, currentsong, and listplaylist outputs - as well as the persistent state file. The root mechanism is Expat's decoding of XML numeric character references (e.g., ) before invoking the character data callback in xspf_char_data, bypassing any empty-string checks that previously served as the only guard. No public exploit code or CISA KEV listing exists at time of analysis, but the no-authentication network vector means any MPD instance that processes externally supplied playlists is exposed; the fix also extended to ASX, PLS, and RSS playlist plugins, indicating the affected surface was broader than the CVE title implies.
Server-side request forgery in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to bypass HTTP/HTTPS scheme restrictions by exploiting the CurlInputPlugin's failure to set CURLOPT_REDIR_PROTOCOLS_STR alongside CURLOPT_FOLLOWLOCATION in libcurl. An attacker who can submit URLs to MPD via commands such as add, readcomments, albumart, readpicture, or load can cause MPD to follow redirects to non-HTTP protocols including gopher, ftp, sftp, ldap, dict, rtmp, and rtsp - enabling interaction with internal or restricted network services. No public exploit has been identified at time of analysis and this vulnerability is not listed in CISA KEV, though the CVSS 4.0 score of 6.9 with a fully unauthenticated network attack vector warrants prompt patching on any externally accessible MPD deployment.
Information disclosure in Music Player Daemon (MPD) before 0.24.11 allows unauthenticated remote attackers to read arbitrary directories and image files outside the configured music_directory via path traversal in the local storage plugin. The flaw, reported by VulnCheck, is exploitable through the standard MPD protocol commands listfiles and albumart, and a vendor patch is available in 0.24.11. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.7 reflects trivial network-based exploitation against any default-configured MPD instance reachable on its protocol port.
Stack buffer overflow in Music Player Daemon (MPD) versions prior to 0.24.11 allows remote unauthenticated attackers to crash the daemon or potentially execute code by serving a malicious HTTP audio stream processed by the PCM decoder plugin. The flaw stems from an off-by-one miscalculation in pcm_unpack_24be (src/pcm/Pack.cxx) that writes four bytes (three attacker-controlled) past a 1365-entry int32_t stack array. No public exploit identified at time of analysis, but the upstream fix is confirmed via commit 5991102 and release 0.24.11.
The PPP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted PPP authentication message to cause the daemon to read beyond allocated memory buffer, which would. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
The L2TP implementation of MPD before 5.9 allows a remote attacker who can send specifically crafted L2TP control packet with AVP Q.931 Cause Code to execute arbitrary code or cause a denial of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.