Post

Huntarr - Your Passwords And Your Entire Arr Stacks Api Keys Are Exposed To Anyone On Your Network Or Worse The Internet

Posted
By Usman Masood Ashraf
views 5 min read
Huntarr - Your Passwords And Your Entire Arr Stacks Api Keys Are Exposed To Anyone On Your Network Or Worse The Internet

Huntarr - Your Passwords And Your Entire Arr Stacks Api Keys Are Exposed To Anyone On Your Network Or Worse The Internet

Introduction

Self-hosted media stacks built around the *Arr suite (Sonarr, Radarr, Prowlarr, etc.) represent a pinnacle of homelab automation. But a critical vulnerability in Huntarr, an aggregator tool for managing these services, exposes API keys, credentials, and administrative control of your entire stack to anyone on your local network—or the entire internet if improperly exposed. This isn’t theoretical: Huntarr’s unauthenticated API endpoints leak sensitive configuration data without requiring any login, compromising every linked service.

For DevOps engineers and sysadmins, this exemplifies the risks of deploying inadequately secured open-source tools. Homelabs often blur the line between “trusted” internal networks and external threats. A single misconfigured Docker port or reverse proxy rule can escalate this vulnerability from LAN exposure to global internet access. This guide dissects the exploit, provides immediate mitigation steps, and reinforces non-negotiable security practices for self-hosted infrastructure.

You’ll learn:

  • How Huntarr’s API exposes credentials without authentication
  • Steps to audit your *Arr stack’s network security
  • Secure alternatives and architectural patterns to isolate critical services
  • Infrastructure-as-Code (IaC) techniques to enforce least-privilege access

Understanding the Huntarr Vulnerability

What Is Huntarr?

Huntarr is an open-source dashboard designed to centralize management of *Arr applications (Sonarr, Radarr, Lidarr, etc.). Its primary function is to simplify interactions with multiple instances by aggregating their APIs into a single UI.

The Core Flaw

Huntarr’s API endpoints /api/config and /api/instances return full configuration details for connected *Arr services without requiring authentication. This includes:

  • API keys for every linked Sonarr, Radarr, Prowlarr instance
  • Service URLs and ports
  • Sensitive metadata about media libraries and download clients

Example of exposed data (anonymized):

1
2
3
4
5
6
7
8
9
10

{  
  "instances": [  
    {  
      "name": "Radarr-Main",  
      "apiKey": "a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5",  
      "url": "http://192.168.1.10:7878",  
      "type": "radarr"  
    }  
  ]  
}

With this data, an attacker can:

  1. Control all *Arr services using the stolen API keys.
  2. Access download clients (e.g., Sabnzbd, qBittorrent) linked to the *Arr stack.
  3. Exfiltrate media libraries or sabotage data.

Attack Vectors

  • Local Network: Any device on the same subnet can access http://huntarr-ip:port/api/config.
  • Internet Exposure: If Huntarr’s port is forwarded or Docker-bound to 0.0.0.0, it’s internet-accessible. Shodan scans for such services daily.
  • Cross-Site Scripting (XSS): Malicious scripts in other apps could silently call Huntarr’s API.

Why This Matters for DevOps

This flaw violates foundational security principles:

  • Authentication Bypass: Critical endpoints lack auth checks.
  • Over-Privileged Services: Huntarr stores API keys with full administrative rights.
  • Network Trust Assumptions: Treating LAN traffic as “safe” is obsolete with IoT and BYOD.

Prerequisites for Securing Your Stack

Before implementing fixes, audit your environment:

System Requirements

  • Any OS running Docker, Kubernetes, or bare-metal services.
  • Access to firewall/router configurations.

Pre-Audit Checklist

  1. Inventory Services:
    1

    docker ps --format "table $CONTAINER_NAMES\t$CONTAINER_PORTS" | grep -E 'sonarr|radarr|huntarr'

    Output:

    1
2
3
4

    NAMES          PORTS  
huntarr        0. Brutal Truth  
This vulnerability627.0.0.1:8080->8080/tcp  
radarr-main    0.0.0.0:7878->7878/tcp
  2. Network Mapping: Identify which services bind to 0.0.0.0 (all interfaces).
  3. API Key Audit: Rotate all *Arr API keys immediately.

Critical Tools

  • Reverse Proxy: Nginx, Traefik, or Caddy with HTTPS.
  • Firewall: ufw, iptables, or cloud security groups.
  • Secrets Management: Docker Secrets, HashiCorp Vault, or mozilla/sops.

Immediate Mitigation Steps

Step 1: Isolate Huntarr

If Huntarr is in use:

  • Shut down the container:
    1

    docker stop huntarr_container_name
  • Revoke all *Arr API keys: Access each service’s Settings > General > Security.

Step 2: Enforce Network Segmentation

Restrict service binding to minimize exposure:

  • Docker Control: Bind to localhost (127.0.0.1) instead of 0.0.0.0:
    1

    docker run -d --name radarr -p 127.0.0.1:7878:7878 linuxserver/radarr
  • Firewall Rules: Block inbound access to *Arr ports from untrusted networks:
    1

    ufw deny proto tcp from 192.168.2.0/24 to any port 7878  # Deny specific subnet

Step 3: Implement Reverse Proxy Authentication

Use Nginx to add Basic Auth:

1
2
3
4
5

location /huntarr {  
  proxy_pass http://localhost:8080;  
  auth_basic "Restricted";  
  auth_basic_user_file /etc/nginx/.htpasswd;  
}

Generate credentials:

1

htpasswd -c /etc/nginx/.htpasswd admin

Long-Term Security Hardening

Architecture Patterns

  • Zero-Trust Segmentation: Place all *Arr services in a dedicated VLAN. Use a VPN (WireGuard, Tailscale) for access.
  • API Gateway: Deploy an authenticated gateway (Kong, OAuth2 Proxy) for all internal APIs.

Secrets Management

Store API keys as Docker secrets:

1
2
3
4
5
6
7
8
9

services:  
  radarr:  
    image: linuxserver/radarr  
    secrets:  
      - radarr_apikey  

secrets:  
  radarr_apikey:  
    file: ./radarr-api-key.txt  # External file encrypted with sops

Infrastructure-as-Code Enforcement

Use Ansible to enforce firewall rules:

1
2
3
4
5
6

- name: Block Sonarr port from guest VLAN  
  ufw:  
    rule: deny  
    src: 192.168.100.0/24  
    port: 8989  
    proto: tcp

Monitoring and Maintenance

  • Log Analysis: Alert on unauthorized API key usage:
    1

    grep "Unauthorized" /path/to/radarr/logs/*.log | jq .
  • Automated Key Rotation: Rotate keys quarterly via cron job using *Arr APIs.

Conclusion

The Huntarr exploit underscores a harsh reality: convenience tools in homelabs often prioritize functionality over security. By treating internal networks as inherently safe, we risk catastrophic exposure. Immediate actions—network segmentation, reverse proxy authentication, and secrets management—are non-negotiable.

For DevOps professionals, this reinforces core principles:

  • Least Privilege: Services should only access what’s essential.
  • Defense-in-Depth: Layer network, app, and secret security.
  • Continuous Auditing: Regularly scan for exposed ports/secrets.

Final Recommendation: Discontinue Huntarr until it implements mandatory authentication. Instead, use secure alternatives like Organizr with properly configured auth modules or standalone service UIs behind a VPN.

Further Resources

Secure your stack as if the internet is already inside your network—because in modern environments, it often is.

Open Source, Reddit Guides, Kubernetes
homelab sysadmin how-to tools kubernetes k8s docker containers
This post is licensed under CC BY 4.0 by the author.