CVE-2024-40348 Overview
CVE-2024-40348 is a directory traversal vulnerability discovered in Bazarr version 1.4.3, a companion application used with Sonarr and Radarr for managing and downloading subtitles. The vulnerability exists in the /api/swaggerui/static endpoint, which fails to properly sanitize user input, allowing unauthenticated attackers to traverse the file system and access sensitive files outside the intended directory.
Critical Impact
Unauthenticated attackers can exploit this vulnerability to read arbitrary files from the server, potentially exposing configuration files, credentials, API keys, and other sensitive data without requiring any authentication.
Affected Products
- Bazarr version 1.4.3
- Potentially other versions prior to patching
Discovery Timeline
- 2024-07-20 - CVE-2024-40348 published to NVD
- 2025-07-08 - Last updated in NVD database
Technical Details for CVE-2024-40348
Vulnerability Analysis
This directory traversal vulnerability (CWE-22) allows unauthenticated remote attackers to read arbitrary files from the system hosting Bazarr. The /api/swaggerui/static component, which serves static files for the Swagger UI documentation interface, does not properly validate or sanitize file path inputs. This oversight enables attackers to use path traversal sequences (such as ../) to escape the intended directory and access files anywhere on the filesystem that the Bazarr process has read permissions for.
The attack requires no authentication and can be performed remotely over the network with minimal complexity. While the vulnerability primarily impacts confidentiality by enabling unauthorized file reads, it can also cause limited availability issues if exploited against critical system files.
Root Cause
The root cause of this vulnerability is improper input validation in the static file serving component of Bazarr's API. The /api/swaggerui/static endpoint fails to canonicalize or sanitize file path parameters before attempting to serve files. This allows attackers to inject directory traversal sequences like ../ that navigate outside the intended static files directory, ultimately reaching sensitive system files.
Attack Vector
The attack is network-based and requires no privileges or user interaction. An attacker can craft malicious HTTP requests to the vulnerable endpoint, embedding path traversal sequences to access files outside the web root. Typical targets include:
- Configuration files containing database credentials
- Application secrets and API keys
- System files such as /etc/passwd on Linux systems
- Log files containing sensitive information
The vulnerability can be exploited by sending specially crafted GET requests to the /api/swaggerui/static endpoint with path traversal payloads. For detailed technical information and proof of concept, refer to the GitHub Proof of Concept.
Detection Methods for CVE-2024-40348
Indicators of Compromise
- Unusual HTTP requests to /api/swaggerui/static containing ../ sequences or URL-encoded variants (%2e%2e%2f)
- Access logs showing requests for files outside the expected static directory
- Multiple rapid requests to the Swagger UI static endpoint from a single source
- Requests attempting to access known sensitive files like /etc/passwd, config.ini, or application configuration files
Detection Strategies
- Configure web application firewalls (WAF) to detect and block path traversal patterns in URLs
- Implement log monitoring rules to alert on requests containing directory traversal sequences
- Deploy intrusion detection systems (IDS) with signatures for path traversal attacks
- Monitor for anomalous file access patterns on the Bazarr host system
Monitoring Recommendations
- Enable detailed access logging on the Bazarr application and any reverse proxy
- Set up alerts for HTTP requests containing encoded or plain-text path traversal sequences
- Monitor system-level file access for reads of sensitive files by the Bazarr process
- Review access logs regularly for suspicious activity targeting the /api/swaggerui/static endpoint
How to Mitigate CVE-2024-40348
Immediate Actions Required
- Upgrade Bazarr to a version that addresses this vulnerability if a patch is available
- Restrict network access to Bazarr to trusted networks only using firewall rules
- Place Bazarr behind a reverse proxy with path traversal filtering enabled
- Disable external access to the Swagger UI endpoint if not required for operations
Patch Information
Users should check the official Bazarr repository and release notes for security updates addressing CVE-2024-40348. Upgrading to the latest available version is strongly recommended. Monitor the Bazarr GitHub repository for security advisories and patches.
Workarounds
- Implement network segmentation to limit access to Bazarr from untrusted networks
- Use a reverse proxy (such as nginx or Apache) configured to block requests containing path traversal sequences
- Apply host-based firewall rules to restrict access to the Bazarr service port
- Run Bazarr with minimal filesystem permissions to limit the impact of potential file disclosure
# Example nginx configuration to block path traversal attempts
location /api/swaggerui/static {
# Block requests containing path traversal sequences
if ($request_uri ~* "\.\.") {
return 403;
}
proxy_pass http://localhost:6767;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
