Streama CVE-2025-34452
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable authenticated endpoint (PR:L), single request with no interaction (AC:L/UI:N); arbitrary file write plus SSRF enabling potential RCE justifies C:H/I:H/A:H.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow an authenticated attacker to write arbitrary files to the server filesystem. The issue exists in the subtitle download functionality, where user-controlled parameters are used to fetch remote content and construct file paths without proper validation. By supplying a crafted subtitle download URL and a path traversal sequence in the file name, an attacker can write files to arbitrary locations on the server, potentially leading to remote code execution.
AnalysisAI
Arbitrary file write in Streama (open-source self-hosted media server) versions 1.10.0 through 1.10.5 lets an authenticated user chain a path traversal flaw with a server-side request forgery in the subtitle download feature to plant files anywhere the application process can write, potentially escalating to remote code execution. The subtitle endpoint trusts both the remote fetch URL and the destination filename, so a crafted download link plus a '../' filename escapes the intended staging directory. There is no CISA KEV listing and no packaged exploit is flagged in the source data, though a detailed VulnCheck advisory and a public technical write-up (chocapikk.com) describe the mechanics.
Technical ContextAI
Streama is a Grails/Groovy self-hosted video streaming application. The defect lives in SubtitlesController.groovy and OpensubtitlesService.groovy, which accept user-controlled subtitleLink (the remote URL to fetch) and subtitleName (the on-disk filename) and pass them into ZipHelper.groovy, where the file was written with 'new FileOutputStream("$stagingDir/$originalFileName")' - direct string concatenation with no canonicalization. This maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory): because '..' sequences in the filename were never rejected, the write target could climb out of the staging directory. The same code path also fetched an attacker-supplied URL with no host restriction (an SSRF / CWE-918 condition), which the fix addresses by introducing an ALLOWED_SUBTITLE_HOSTS allowlist limited to opensubtitles.org domains and enforcing http/https only. The remediation commit adds three defensive layers: controller-level rejection of '..', '/', '\' in filenames; canonical-path validation that the resolved target stays within the staging directory; and the URL allowlist.
Affected ProductsAI
Streama (streamaserver/streama) versions 1.10.0 through 1.10.5, and any build prior to fix commit b7c8767, are affected. No CPE string was provided in the input. The vendor is the open-source Streama project on GitHub; the authoritative references are the VulnCheck advisory (https://www.vulncheck.com/advisories/streama-subtitle-download-path-traversal-and-ssrf-leading-to-arbitrary-file-write) and the fix commit (https://github.com/streamaserver/streama/commit/b7c8767).
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - update Streama to a build that includes commit b7c8767 (https://github.com/streamaserver/streama/commit/b7c8767), which adds filename path-traversal rejection, canonical-path containment checks in ZipHelper, and an opensubtitles.org host allowlist for subtitle fetches. Because the fix is referenced as a commit rather than a tagged release, operators should build from the patched source or confirm with the project which release incorporates it before relying on a version number. Until patched, restrict who can authenticate to Streama (the flaw needs a valid account), place the instance behind a VPN or trusted-network boundary rather than exposing it to the internet, and run the application process under a low-privilege OS user with a tightly scoped writable directory so a traversal write cannot reach web-root, cron, or startup-script locations that would yield code execution; egress-filter outbound connections from the server to blunt the SSRF component, accepting that this may break legitimate subtitle downloads. These are compensating controls, not equivalents to the code fix.
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today