Logitech Streamlabs Desktop 1.19.6 (overlay) CPU Exhaustion
Title: Logitech Streamlabs Desktop 1.19.6 (overlay) CPU Exhaustion
Advisory ID: ZSL-2025-5967
Type: Local/Remote
Impact: DoS
Risk: (2/5)
Release Date: 13.11.2025
Microsoft Windows 11 25H2
Microsfot Windows 10
[15.10.2025] Vendor contacted.
[15.10.2025] Vendor's security submission through h1 does not work.
[16.10.2025] Vendor communication tried again.
[16.10.2025] Vendor's security submission through h1 does not work.
[13.11.2025] Public security advisory released.
[15.11.2025] - Added reference [1]
Web: https://www.zeroscience.mk
e-mail: [email protected]
Advisory ID: ZSL-2025-5967
Type: Local/Remote
Impact: DoS
Risk: (2/5)
Release Date: 13.11.2025
Summary
Streamlabs Desktop is a free streaming and recording software, built on OBS Studio, for content creators to stream live to platforms like Twitch, YouTube, and Facebook. It is designed to be beginner-friendly and offers tools for creating engaging streams, such as customizable overlays, alerts for viewer interactions, and the ability to add guests to a stream.Description
A vulnerability exists in Streamlabs Desktop where importing a crafted .overlay file can cause uncontrolled CPU consumption, leading to a denial-of-service condition. The .overlay file is an archive containing a config.json configuration. By inserting an excessively large string into the name attribute of a scene object within config.json, the application's renderer process (Frameworks/Streamlabs Desktop Helper (Renderer).app) spikes to over 150% CPU and becomes unresponsive. This forces the victim to terminate the application manually, resulting in loss of availability. An attacker could exploit this by distributing malicious overlay files to disrupt streaming operations.Vendor
Logitech | General Workings, Inc. - https://www.logitech.com | https://www.streamlabs.comAffected Version
1.19.6Tested On
macOS Sequoia version 15.7.2, 15.7.2Microsoft Windows 11 25H2
Microsfot Windows 10
Vendor Status
[15.10.2025] Vulnerability discovered.[15.10.2025] Vendor contacted.
[15.10.2025] Vendor's security submission through h1 does not work.
[16.10.2025] Vendor communication tried again.
[16.10.2025] Vendor's security submission through h1 does not work.
[13.11.2025] Public security advisory released.
PoC
logitech_streamlabs_cpu.pyCredits
Vulnerability discovered by Gjoko Krstic - <[email protected]>References
[1] https://packetstorm.news/files/id/211594/Changelog
[13.11.2025] - Initial release[15.11.2025] - Added reference [1]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: [email protected]
