Path Disclosure Vulnerability in AVideo by WWBN
CVE-2025-34442

6.9MEDIUM

Key Information:

Vendor

World Wide Broadcast Network

Status
Avideo
Vendor
CVE Published:
17 December 2025

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2025-34442?

AVideo versions prior to 20.0 are vulnerable to a path disclosure issue, which occurs through several public API endpoints. This vulnerability exposes absolute filesystem paths in the returned metadata, granting potential attackers insights into the server's underlying filesystem structure. By revealing information about media file locations, the vulnerability could facilitate exploitation or create avenues for further attacks on the system.

Affected Version(s)

AVideo 0 < 20.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34442 - Proof of Concept

References

https://github.com/WWBN/AVideo/commit/4a53ab2056
release-notes
https://github.com/WWBN/AVideo/commit/dbe3e91c54
patch
https://www.vulncheck.com/advisories/avideo-system-path-d...
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
JSON
.