AVideo < 20.0 System Path Disclosure via Public API

Advisories

severity: medium
date: December 17, 2025
Affecting: AVideo < 20.0
CVE: CVE-2025-34442
CWE: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
References: AVideo Release Notes
AVideo Patch Commit
Credit: Valentin Lobstein (Chocapikk)
Description: AVideo versions prior to 20.0 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.