CVE-2025-34452
📋 TL;DR
This vulnerability in Streama allows authenticated attackers to write arbitrary files to the server filesystem by exploiting path traversal and SSRF in the subtitle download functionality. Attackers can potentially achieve remote code execution by writing malicious files to critical locations. All Streama instances running affected versions are vulnerable.
💻 Affected Systems
- Streama
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Arbitrary file write allowing attackers to modify configuration files, deploy web shells, or escalate privileges.
If Mitigated
Limited impact if proper network segmentation and file system permissions restrict write access to sensitive locations.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authentication is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit b7c8767 or later
Vendor Advisory: https://github.com/streamaserver/streama/commit/b7c8767
Restart Required: Yes
Instructions:
1. Update Streama to commit b7c8767 or later. 2. Restart the Streama service. 3. Verify the fix by checking the version.
🔧 Temporary Workarounds
Disable subtitle download functionality
allTemporarily disable the vulnerable subtitle download feature until patching is possible
Modify Streama configuration to disable subtitle downloads
Restrict network access
allLimit Streama server's ability to make outbound HTTP requests to prevent SSRF exploitation
Configure firewall rules to block outbound HTTP/HTTPS from Streama except to trusted sources
🧯 If You Can't Patch
- Implement strict file system permissions to restrict write access to sensitive directories
- Deploy network segmentation to isolate Streama instances from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check Streama version against affected range: 1.10.0-1.10.5 or if running code prior to commit b7c8767Check Version:
Check Streama web interface or configuration files for version informationVerify Fix Applied:
Verify that Streama is running commit b7c8767 or later by checking the git commit hash📡 Detection & Monitoring
Log Indicators:
- Unusual subtitle download requests with path traversal sequences
- File write operations to unexpected directories
- Outbound HTTP requests to unusual domains from Streama
Network Indicators:
- HTTP requests from Streama to internal services or metadata endpoints
- Unusual file transfer patterns from Streama server
SIEM Query:
source="streama" AND (url="*../*" OR dest_ip="169.254.169.254" OR dest_ip="metadata.google.internal")