CVE-2022-24900: Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulne...

Description

Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The `os.path.join` call is unsafe for use with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the "malicious" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks. A patch with a fix is available on the `master` branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` calls with `flask.send_from_directory` calls.

Metrics

CVSS 3.1

8.6/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Probability

8.04%

94.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Piano Led Visualizer Project	Piano Led Visualizer	<= 1.3

References

https://github.com/onlaj/Piano-LED-Visualizer/blob/6a732caa812c83a807c711f3d091af99209cae7b/webinterface/views_api.py#L970Exploit, Third Party Advisory
https://github.com/onlaj/Piano-LED-Visualizer/commit/3f10602323cd8184e1c69a76b815655597bf0ee5Patch, Third Party Advisory
https://github.com/onlaj/Piano-LED-Visualizer/issues/350Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/onlaj/Piano-LED-Visualizer/pull/351Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/onlaj/Piano-LED-Visualizer/security/advisories/GHSA-g78x-q3x8-r6m4Exploit, Patch, Third Party Advisory
https://github.com/onlaj/Piano-LED-Visualizer/blob/6a732caa812c83a807c711f3d091af99209cae7b/webinterface/views_api.py#L970Exploit, Third Party Advisory
https://github.com/onlaj/Piano-LED-Visualizer/commit/3f10602323cd8184e1c69a76b815655597bf0ee5Patch, Third Party Advisory
https://github.com/onlaj/Piano-LED-Visualizer/issues/350Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/onlaj/Piano-LED-Visualizer/pull/351Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/onlaj/Piano-LED-Visualizer/security/advisories/GHSA-g78x-q3x8-r6m4Exploit, Patch, Third Party Advisory

Timeline

Published: Apr 29, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-24900?

Piano LED Visualizer is software that allows LED lights to light up as a person plays a piano connected to a computer. Version 1.3 and prior are vulnerable to a path traversal attack. The `os.path.join` call is unsafe for use with untrusted input. When the `os.path.join` call encounters an absolute path, it ignores all the parameters it has encountered till that point and starts working with the new absolute path. Since the "malicious" parameter represents an absolute path, the result of `os.path.join` ignores the static directory completely. Hence, untrusted input is passed via the `os.path.join` call to `flask.send_file` can lead to path traversal attacks. A patch with a fix is available on the `master` branch of the GitHub repository. This can also be fixed by preventing flow of untrusted data to the vulnerable `send_file` function. In case the application logic necessiates this behaviour, one can either use the `flask.safe_join` to join untrusted paths or replace `flask.send_file` calls with `flask.send_from_directory` calls.

How severe is CVE-2022-24900?

CVE-2022-24900 has a CVSS score of 8.6/10 (HIGH severity). The EPSS model estimates a 8.04% probability of exploitation in the next 30 days.

How do I fix CVE-2022-24900?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.