search menu icon-carat-right cmu-wordmark

CERT Coordination Center

WinAmp playlist handling may allow a remote buffer overflow and arbitrary code execution

Vulnerability Note VU#986504

Original Release Date: 2005-02-21 | Last Revised: 2005-02-21


WinAmp contains a flaw which may allow a remote system compromise if a maliciously crafted playlist is loaded.


Nullsoft's WinAmp is a multimedia system for Microsoft Windows. WinAmp allows users to create and use "playlists" to play their multimedia files in a customized order.

WinAmp versions previous to 5.08c contain a flaw in playlist handling code which may allow arbitrary code to be executed. In addition, WinAmp playlists may be loaded from remote locations on the Internet without user intervention, so this flaw may be exploited by a remote user.

This WinAmp flaw exposes a stack-based buffer overflow, which allows remote execution of arbitrary code. A playlist which contains a long device name or file number for some types of files (including .cda) may overflow the handler code in the IN_CDDA.dll plug-in and execute arbitrary code.

Also, the default configuration of Internet Explorer and WinAmp will open remote .pls and .m3u playlist files without prompting the user. Other web browsers (due to user settings or defaults) may also open these types of files automatically. As such, a standard HTML document can embed a playlist file to automatically load when the user follows a normal link to this malicious page. This creates a condition where it is possible to exploit the flaw by simply loading an innocuous-looking web page.


WinAmp may encounter a stack-based buffer overflow condition which would allow remote arbitrary code execution under the privileges of the user running WinAmp. This could lead to total system compromise and control by a malicious attacker.


Apply an update

This flaw has been corrected in WinAmp version 5.08c and later. Download and install the latest version from:


Note: This flaw has been re-discovered in a series of the latest WinAmp releases. Should the flaw re-occur again, a recommended course of action until an update is developed is:

Do not open unknown .cda, .pls or .m3u files.
Do not open .cda, .pls or .m3u files automatically with WinAmp in your web browser.

Of course, these recommendations always apply to any unknown files and file types. It is also always advised for all users to ensure their browser settings prompt for the desired action (Save, Cancel, Open) with all file types that may load remote data, such as WinAmp .pls or .m3u playlist file types.

Vendor Information


Nullsoft Affected

Notified:  January 28, 2005 Updated: February 21, 2005



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Updates which address this flaw may be found at the Nullsoft WinAmp web page.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to Brett Moore for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

CVE IDs: CVE-2004-1119
Severity Metric: 14.03
Date Public: 2004-11-23
Date First Published: 2005-02-21
Date Last Updated: 2005-02-21 21:22 UTC
Document Revision: 26

Sponsored by CISA.