CVE-2025-34442
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 20.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34442 is a vulnerability in AVideo versions prior to 20.0 where multiple public API endpoints disclose absolute filesystem paths to media files. This means that the API responses include full server directory paths, revealing the underlying filesystem structure. This exposure happens through the `Video::getSourceFile` method and related APIs, which returned path information by default. The vulnerability allows unauthorized users to gain sensitive information about the server's file system, which can be used to facilitate more effective attack chains. The issue was fixed by modifying the method to exclude filesystem paths from API responses unless explicitly requested internally. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive server information, specifically the absolute filesystem paths of media files, to unauthorized users through public API endpoints. Attackers can use this information to better understand the server environment and craft more effective attacks against the system. Although the impact on confidentiality, integrity, and availability is rated as low, the disclosure of filesystem paths increases the risk of targeted attacks and exploitation of other vulnerabilities. [2, 1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by inspecting API responses from your AVideo server for the presence of absolute filesystem paths in metadata fields. Specifically, monitor responses from public API endpoints that return media file information and check if they include full server paths. A practical approach is to use command-line tools like curl or wget to query these endpoints and grep or jq to search for filesystem path patterns (e.g., strings starting with '/' or drive letters). For example, you can run: curl -s http://your-avideo-server/api/endpoint | grep -E '/[\w/\-]+' or use jq to parse JSON responses and look for 'path' keys containing absolute paths. If such paths are present, your system is vulnerable. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade your AVideo installation to version 20.0 or later, where the issue has been fixed. The fix involves modifying the Video::getSourceFile method and related API endpoints to exclude filesystem paths from public API responses by default. If upgrading is not immediately possible, restrict access to the affected API endpoints to trusted users only and monitor API responses for path disclosures. Additionally, review your server logs and configurations to ensure no sensitive path information is being exposed externally. [1, 2]