[Live-devel] [Security Vulnerability Report] RTSP Session Hijacking via Session Token Reuse Without Re-Authentication - LIVE555 v2026.04.01
Ross Finlayson
finlayson at live555.com
Wed Apr 22 16:10:27 PDT 2026
Many thanks for the report.
First, note that the RTSP protocol does not require that all operations on a RTSP session be sent on a single TCP connection. In the protocol, it is possible to send RTSP commands (for the same session) over multiple TCP connections, that don’t necessarily come from the same client IP address. Thus, within a session that is not authenticated (with a username+password), it is not possible for a (compliant) server to protect against the use of a stolen session id.
However, if a session is required to be authenticated (with a username+password), then you’re correct that a server should check this when handling each RTSP command, and not just use the session id for authentication. And you’re correct that our RTSP server implementation did not properly implement this (except for “DESCRIBE” and “SETUP”).
So, I have just released a new version (2026-04-22) of the “LIVE555 Streaming Media” code that - for authenticated sessions - checks authentication not just for “DESCRIBE” and “SETUP”, but also for "PLAY", "PAUSE", "TEARDOWN", and “SET_PARAMETER” (but not for “GET_PARAMETER” or “OPTIONS”, as those are read-only operations).
Thanks again,
Ross Finlayson
Live Networks, Inc.
http://www.live555.com/
More information about the live-devel
mailing list