Hi r/selfhosted!

I've posted in the past about security topics related to self-hosted applications.

This time I wondered what would happen if I put malicious scripts inside EPUBs and displayed them with several popular applications (Kavita, Audiobookshelf and Jellyfin among others).

I was able to escalate to code execution on the server / host itself in some cases, while stealing session tokens or private data in others.

Because scripting capabilities are an official part of the EPUB specification, developers face the challenge of either disallowing them or providing a safe sandbox for script execution.

The result is an article that discusses the underlying problem, case studies (with demos), the feasibility of distributing malicious ebooks and solutions to the problem.

Maybe it's of interest to some of you. :^)

Here's the article.