Security: Command Injection Vulnerability

Open schirrmacher opened this issue 6 months ago • 2 comments

Hey there!

During security reviews I discovered an issue in audioread/ffdec.py

The code uses subprocess.Popen to execute external commands (ffmpeg or avconv) with a user-provided filename as part of the command arguments. This creates a significant command injection vulnerability, as a malicious filename could contain arbitrary shell commands, leading to remote code execution on the system.

https://github.com/beetbox/audioread/blob/577f8e2cbe99f33dd7d236deb1626e372f4762e9/audioread/ffdec.py#L144

Jul 31 '25 13:07 schirrmacher