On October 17, 2023, two critical security flaws were discovered in CasaOS, an open-source personal cloud software. These vulnerabilities, known as CVE-2023-37265 and CVE-2023-37266, have a high CVSS score of 9.8 out of 10. Sonar security researcher Thomas Chauchefoin, who found the bugs, explained that they allow attackers to bypass authentication requirements and gain full access to the CasaOS dashboard.

In addition, CasaOS’ support for third-party applications can be exploited to run arbitrary commands on the system, granting persistent access to the device or entry into internal networks.

The flaws were responsibly disclosed on July 3, 2023, and were addressed in version 0.4.4 released by IceWhale, the maintainers of CasaOS, on July 14, 2023.

The first flaw, CVE-2023-37265, involves incorrect identification of the source IP address, enabling unauthenticated attackers to execute arbitrary commands as root on CasaOS instances. The second flaw, also CVE-2023-37265, allows unauthenticated attackers to create arbitrary JSON Web Tokens (JWTs) and access authentication-required features to execute arbitrary commands as root on CasaOS instances.

Exploiting these vulnerabilities can allow attackers to bypass authentication restrictions and gain administrative privileges on vulnerable CasaOS instances.

Thomas Chauchefoin advises against relying on IP address identification at the application layer for security decisions, as it is prone to risks and various headers can contain this information.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles