<-- back

Swing Music vulnerability writeup

December 28, 2025

4 minute read

Tags: security, software


I found a file-access issue in Swing Music’s streaming endpoint. In short: a crafted request could try to fetch files outside the music library. I reported it privately, worked with the maintainer, and a fix is now shipped. If you run Swing Music, please update.

What happened

  • The stream endpoint trusted a filepath parameter too much.
  • With certain inputs, the server could be tricked into looking beyond the music folders.
  • Swing Music already tracks files via a TrackStore, but the endpoint mixed direct file paths and track lookups in a way that could be abused.
# flawed: uses user-provided filepath directly
filepath = request.args.get("filepath", "")
return send_file(filepath, as_attachment=True)

Impact

An attacker with access to the streaming endpoint would attempt to read files outside the music library, depending on server configuration and permissions. I validated the behavior safely on my own instance; no production data was accessed.

The fix

Maintainer fg006 (wanji) added input sanitization, path‑traversal detection, checks against configured root directories, and stricter track selection (serve the real on‑disk track that matches the requested identifier).

# fixed: normalize, whitelist, serve stored file
from pathlib import Path

fp = Path(request.args.get("filepath", "").strip()).resolve()
roots = [Path(r).resolve() for r in UserConfig().rootDirs]
if not any(r == fp or r in fp.parents for r in roots):
	return {"error": "invalid filepath"}, 400

trackhash = request.args.get("trackhash", "").strip()
tracks = TrackStore.get_tracks_by_filepaths([str(fp)])
t = next((x for x in tracks if x.trackhash == trackhash), None)
if t:
	p = Path(t.filepath).resolve()
	return send_from_directory(p.parent, p.name, as_attachment=True)

Snippet taken from d7e2710

Timeline

  • Discovery and local validation
  • Responsible report to project maintainers
  • Patch committed (d7e2710)
  • Public announcement (Telegram and GitHub); users advised to update

Advice

  • Update Swing Music to v2.1.0.
  • Verify your configured root music directories are correct.
  • If your server is exposed, review logs for odd requests and consider extra hardening, specifically through permissions. Make sure the user running the swingmx server only has read access to what it needs to.

Thanks to fg006 (wanji) for turning around the patch quickly and handling the disclosure well.

Check out my swingmx instance as well as how I handle self-hosting services.


about the author

Pablo Gracia is a high school student from California. He is passionate about technology and music. He is the creator of this blog and the author of all the posts. He is also the creator of the Supernova Experience.

View more blog posts

Comments have been disabled for this post.