Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Network-delivered archive but victim must trigger subtitle extraction (UI:R); no auth needed; arbitrary file write yields high integrity/availability and limited confidentiality via dropped code, scope unchanged within user context.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing a malicious archive to perform path traversal and write arbitrary files to the host filesystem. The subtitle extraction process downloads a ZIP archive and extracts its entries. The destination file path is constructed by concatenating the raw archive entry name (extracted.name) directly to the temporary directory path. If a malicious ZIP archive containing directory traversal sequences is processed, it escapes the temporary directory boundaries. The application then writes the extracted payload anywhere on the host filesystem subject to the application's current write permissions. This issue has been fixed in version 2.5.0.
AnalysisAI
Arbitrary file write in Streambert Electron desktop app (versions ≤2.4.0) allows remote attackers to drop files anywhere the app process can write by serving a malicious subtitle ZIP archive. The subtitle extraction routine concatenates raw archive entry names to the destination path without sanitization, enabling classic Zip Slip path traversal that can be escalated to code execution by overwriting startup or configuration files. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the victim to initiate subtitle extraction in Streambert ≤2.4.0 against an attacker-controlled subtitle archive - meaning the attacker must either compromise/spoof a subtitle provider the client queries, run a man-in-the-middle on the subtitle download, or trick the user into selecting a malicious media source whose subtitle URL they control. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H) appears overstated for the described attack: exploitation requires the victim to trigger subtitle extraction for an attacker-controlled media/subtitle source, which in a desktop client is effectively user-driven rather than truly unauthenticated remote. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a media entry whose subtitle source returns a ZIP archive containing an entry named like `../../../../Users/victim/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/payload.exe`. When the victim plays the title in Streambert ≤2.4.0, the client fetches and extracts the archive, dropping the payload into the autostart folder; on the next login the attacker gains code execution as the user. … |
| Remediation | Upgrade to Streambert 2.5.0 or later, released at https://github.com/truelockmc/streambert/releases/tag/2.5.0, which contains the fix credited to @jeremyHOT and @truelockmc per the advisory at https://github.com/truelockmc/streambert/security/advisories/GHSA-3q2x-3q9p-qwfc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Streambert versions ≤2.4.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37500