CVE-2025-34442
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-19

Assigner: VulnCheck

Description
AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34442
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34442 is a vulnerability in AVideo versions prior to 20.0 where multiple public API endpoints disclose absolute filesystem paths to media files. This means that the API responses include full server directory paths, revealing the underlying filesystem structure. This exposure happens through the `Video::getSourceFile` method and related APIs, which returned path information by default. The vulnerability allows unauthorized users to gain sensitive information about the server's file system, which can be used to facilitate more effective attack chains. The issue was fixed by modifying the method to exclude filesystem paths from API responses unless explicitly requested internally. [1, 2]

Impact Analysis

This vulnerability can impact you by exposing sensitive server information, specifically the absolute filesystem paths of media files, to unauthorized users through public API endpoints. Attackers can use this information to better understand the server environment and craft more effective attacks against the system. Although the impact on confidentiality, integrity, and availability is rated as low, the disclosure of filesystem paths increases the risk of targeted attacks and exploitation of other vulnerabilities. [2, 1]

Detection Guidance

You can detect this vulnerability by inspecting API responses from your AVideo server for the presence of absolute filesystem paths in metadata fields. Specifically, monitor responses from public API endpoints that return media file information and check if they include full server paths. A practical approach is to use command-line tools like curl or wget to query these endpoints and grep or jq to search for filesystem path patterns (e.g., strings starting with '/' or drive letters). For example, you can run: curl -s http://your-avideo-server/api/endpoint | grep -E '/[\w/\-]+' or use jq to parse JSON responses and look for 'path' keys containing absolute paths. If such paths are present, your system is vulnerable. [2]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade your AVideo installation to version 20.0 or later, where the issue has been fixed. The fix involves modifying the Video::getSourceFile method and related API endpoints to exclude filesystem paths from public API responses by default. If upgrading is not immediately possible, restrict access to the affected API endpoints to trusted users only and monitor API responses for path disclosures. Additionally, review your server logs and configurations to ensure no sensitive path information is being exposed externally. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34442. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart