CVE-2025-34452

UNKNOWN 0.0

Streama Subtitle Download Path Traversal and SSRF Leading to Arbitrary File Write

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow an authenticated attacker to write arbitrary files to the server filesystem. The issue exists in the subtitle download functionality, where user-controlled parameters are used to fetch remote content and construct file paths without proper validation. By supplying a crafted subtitle download URL and a path traversal sequence in the file name, an attacker can write files to arbitrary locations on the server, potentially leading to remote code execution.

CWE	CWE-22 CWE-918
Vendor	streama
Product	streama
Published	Dec 18, 2025
Last Updated	Mar 23, 2026

Stay Ahead of the Next One

Get instant alerts for streama streama

Be the first to know when new unknown vulnerabilities affecting streama streama are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Streama / Streama

1.10.0 ≤ 1.10.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/streamaserver/streama/commit/b7c8767 chocapikk.com: https://chocapikk.com/posts/2025/streama-path-traversal-ssrf/ vulncheck.com: https://www.vulncheck.com/advisories/streama-subtitle-download-path-traversal-and-ssrf-leading-to-arbitrary-file-write

Credits

Valentin Lobstein (Chocapikk)