Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any…

Sonarr PVR application versions on 4.x branch prior to 4.0.17.2950 contain a critical vulnerability allowing unauthenticated remote attackers to read arbitrary files on Windows systems. The vulnerability affects application configuration files containing API keys and database credentials, Windows system files, and user-accessible files. The issue stems from insufficient directory traversal protection in the API. Only Windows systems are affected, with macOS and Linux unaffected. Patches are available in versions 4.0.17.2950 for nightly/develop branch and 4.0.17.2952 for stable/main releases. Workarounds include restricting Sonarr to secure internal networks with VPN access.