TinyIce versions 0.8.95 through 2.4.1 have a missing authentication vulnerability (CWE-306) on the WebRTC ingest endpoint, permitting unauthenticated stream injection. The issue is resolved in version 2.5.0 by requiring HTTP Basic authentication or a password query parameter validated with bcrypt against configured source passwords. The fix also includes brute-force IP rate limiting and rejecting requests for disabled mounts. Furthermore, the POST /admin/golive/chunk endpoint's security is enhanced by verifying session user's per-mount access and CSRF tokens. This vulnerability has a CVSS 3.1 score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L), reflecting network attack vector, low attack complexity, no privileges or user interaction needed, no confidentiality impact, high integrity impact, and low availability impact.

The vulnerability allows unauthenticated attackers to inject unauthorized streams into the tinyice server via the WebRTC ingest endpoint, potentially disrupting legitimate streaming content (integrity impact) and causing limited denial of service (availability impact). There is no confidentiality impact. The POST /admin/golive/chunk endpoint could previously be abused due to insufficient session and CSRF validation, increasing risk of unauthorized administrative actions. No known exploits are reported in the wild.

Version 2.5.0 of tinyice fixes this vulnerability by enforcing authentication on the WebRTC ingest endpoint using HTTP Basic auth or a password query parameter validated with bcrypt, implementing brute-force IP rate limiting, and rejecting requests for disabled mounts. It also strengthens security on the POST /admin/golive/chunk endpoint by verifying per-mount access and CSRF tokens. Users should upgrade to version 2.5.0 or later to remediate this issue. Patch status is not explicitly confirmed by a vendor advisory, so verify with DatanoiseTV's official channels for the latest remediation guidance.