CVE-2022-50919: Critical Unauthenticated Remote Code Execution in Tdarr via Help Terminal

Aegiron 9 mins0

CVE ID: CVE-2022-50919
Product: Tdarr
Affected Component: Web UI – Help / FFmpeg argument terminal
Vulnerability Type: Command Injection → Remote Code Execution
Authentication Required: No
Attack Vector: Network (HTTP/HTTPS)
Severity: Critical
CVSS Score: 9.8 (Critical)
Exploit Maturity: Public proof-of-concept exists (educational / research use)

Overview

CVE-2022-50919 is a critical unauthenticated remote code execution vulnerability in Tdarr.
The issue exists in the Help tab of the Tdarr web interface, where users can input FFmpeg or HandBrake command-line arguments for reference.

Due to improper input sanitization, specially crafted input containing shell control characters can be interpreted by the underlying system shell. This allows an attacker to inject and execute arbitrary operating system commands on the Tdarr server without authentication.

If the Tdarr web interface is exposed to an internal or external network, anyone who can reach it can potentially take control of the host system.

Technical Root Cause

  • Tdarr provides a web-based “Help” terminal intended to display help output for media processing tools.
  • User-supplied input from this terminal is passed directly into a shell execution context.
  • No filtering or escaping is applied to remove shell metacharacters.
  • Shell control operators (such as command separators and pipes) allow attackers to append additional commands.
  • The system executes those commands with the same privileges as the Tdarr process.

This is a classic command injection flaw, made more severe by the lack of authentication and the management nature of the interface.

Why This Is Dangerous

An attacker who successfully exploits this vulnerability can:

  • Execute arbitrary system commands
  • Download and run additional malicious tools
  • Open reverse shells or remote access channels
  • Steal configuration files, API keys, or media data
  • Install persistence mechanisms
  • Use the Tdarr host as a pivot point to attack other systems

Because Tdarr often runs on media servers, NAS devices, or home lab systems, compromise may expose large storage volumes or trusted internal networks.

Exploitation (High-Level, Defensive Description)

Note: Exploitation details and proof-of-concepts are publicly available and widely known.
The description below is conceptual only and provided for defensive and educational purposes.

At a high level, exploitation works as follows:

  1. The attacker sends a crafted HTTP request to the Tdarr web interface.
  2. The request targets the Help terminal input field.
  3. The input includes shell control characters embedded alongside legitimate-looking arguments.
  4. Tdarr processes the input and passes it to the operating system shell.
  5. The shell executes both the intended command and the injected command.
  6. The attacker gains command execution on the host.

No login, token, or user interaction is required.

MITRE ATT&CK Mapping

TacticTechnique
Initial AccessT1190 – Exploit Public-Facing Application
ExecutionT1059 – Command and Scripting Interpreter
PersistenceT1053 – Scheduled Task / Cron (post-exploitation)
Privilege EscalationT1068 – Exploitation for Privilege Escalation
Defense EvasionT1070 – Indicator Removal
Lateral MovementT1021 – Remote Services
Command & ControlT1071 – Application Layer Protocol

How to Detect Exploitation or Attempted Exploitation

Log Sources to Monitor

  1. Tdarr Server Logs
    • Unexpected command output
    • Errors referencing shell execution
    • Unusual activity originating from Help functions
  2. Web Server / Reverse Proxy Logs
    • Requests to Help-related endpoints
    • Long or malformed parameters
    • Encoded or unusual characters in input fields
  3. Host Process Creation Logs
    • Tdarr spawning shells or interpreters
    • Unexpected child processes
    • Network utilities executed by Tdarr
  4. Network Egress Logs
    • New outbound connections from the Tdarr host
    • Connections to unknown IPs or non-standard ports
  5. File System Monitoring
    • New files in temporary directories
    • New executables or scripts
    • Modified startup or scheduled task files

High-Confidence Indicators of Compromise

  • Tdarr process spawning:
    • Shells
    • Script interpreters
    • Network utilities
  • Sudden outbound traffic from the Tdarr server
  • Files written to temporary directories without administrative action
  • Tdarr logs containing command output that should never appear in normal operation
  • Repeated or malformed requests to Help-related UI endpoints

Detection Logic

You should alert on correlation, not single events.

Suspicious Web Activity

  • Argument fields containing:
    • Shell separators
    • Piping behavior
    • Encoded control characters
  • Requests that combine:
    • Legitimate help arguments
    • Unexpected command-style syntax

Suspicious Host Activity

  • Parent process = Tdarr
  • Child process = shell, interpreter, or downloader
  • Network connections initiated immediately after Help-UI access

Behavioral Indicators

  • Tdarr performing actions unrelated to media processing
  • New scheduled tasks or services created shortly after Help-UI access
  • Tdarr generating outbound traffic in environments where it normally should not

Incident Response Guidance

If exploitation is suspected:

  1. Immediately isolate the host from the network.
  2. Preserve logs and volatile data (process list, network connections).
  3. Inspect for persistence mechanisms (cron, services, startup scripts).
  4. Assume full compromise of the Tdarr host.
  5. Rebuild the system from a trusted image if compromise is confirmed.
  6. Rotate any credentials or keys accessible from the host.
  7. Apply the official Tdarr update before restoring service.

Mitigations (If Immediate Patch Is Not Possible)

  • Restrict access to the Tdarr web interface using:
    • Firewall rules
    • VPN-only access
    • IP allow-listing
  • Remove or block access to Help-related endpoints
  • Run Tdarr with least-privileged user permissions
  • Block outbound Internet access from the Tdarr host
  • Enable enhanced process monitoring and alerting

Official Patch / Upgrade

Upgrade Tdarr immediately using the official vendor packages or container images:

https://tdarr.io/download

Ensure both Tdarr Server and Tdarr Nodes are updated and restarted after upgrade.

Final Takeaway

CVE-2022-50919 represents a textbook example of high-impact command injection in a management interface.
Because exploitation requires no credentials and has public exploit material, any unpatched or exposed Tdarr instance should be considered high risk.

Patch immediately. Restrict access. Monitor aggressively.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.