Description

Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow an authenticated attacker to write arbitrary files to the server filesystem. The issue exists in the subtitle download functionality, where user-controlled parameters are used to fetch remote content and construct file paths without proper validation. By supplying a crafted subtitle download URL and a path traversal sequence in the file name, an attacker can write files to arbitrary locations on the server, potentially leading to remote code execution.

Related CPE's

Could not find any relations

References

https://chocapikk.com/posts/2025/streama-path-traversal-ssrf/

https://github.com/streamaserver/streama/commit/b7c8767

https://www.vulncheck.com/advisories/streama-subtitle-download-path-traversal-and-ssrf-leading-to-arbitrary-file-write

Weaknesses

[email protected]

Primary
CWE-22CWE-918

CVSS impact metrics

Missing metrics for CVSS V

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Awaiting analysis

Published

2025-12-18T22:15:56.473

22 hours ago

Last modified

2025-12-19T18:00:18.330

3 hours ago