CVE-2025-34452 HIGH

CVE-2025-34452: Streama Subtitle Download Path Traversal and SSRF Leading to Arbitrary File Write

Vendor Streama
Product Streama
Weakness CWE-22 · Path traversal
Published December 18, 2025
Last update March 23, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Streama versions 1.10.0 through 1.10.5 and prior to commit b7c8767 contain a combination of path traversal and server-side request forgery (SSRF) vulnerabilities in that allow an authenticated attacker to write arbitrary files to the server filesystem. The issue exists in the subtitle download functionality, where user-controlled parameters are used to fetch remote content and construct file paths without proper validation. By supplying a crafted subtitle download URL and a path traversal sequence in the file name, an attacker can write files to arbitrary locations on the server, potentially leading to remote code execution.

Key dates

02Disclosure timeline

December 18, 2025 CVE published
March 23, 2026 Record updated