CVE-2025-34442 is a vulnerability identified in the World Wide Broadcast Network's AVideo product, affecting all versions prior to 20.0. The flaw involves the exposure of absolute filesystem paths through multiple public API endpoints. When clients query these APIs, the returned metadata includes full server paths to media files, thereby revealing the underlying directory structure of the server hosting AVideo. This type of information disclosure is classified under CWE-497, which concerns the exposure of sensitive system information to unauthorized entities. The vulnerability is remotely exploitable without authentication or user interaction, making it accessible to any attacker who can reach the API endpoints. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and low to medium impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no active exploits have been reported, the disclosure of absolute paths can facilitate attackers in mapping the server environment, identifying potential targets for further attacks such as path traversal, local file inclusion, or privilege escalation. The absence of patch links suggests that remediation requires upgrading to version 20.0 or later, which presumably addresses this issue by sanitizing API responses and removing sensitive path information. Organizations relying on AVideo for media streaming or broadcasting should be aware of this vulnerability due to the potential for attackers to gain insights into server configurations and file locations, which could be leveraged in multi-stage attack chains.

For European organizations, the exposure of absolute filesystem paths can significantly increase the risk profile of their AVideo deployments. Attackers gaining knowledge of the server's directory structure can craft more precise and effective attacks, such as exploiting path traversal vulnerabilities or targeting specific files for unauthorized access. This can lead to unauthorized data disclosure, service disruption, or even full system compromise if combined with other vulnerabilities. Media companies, broadcasters, educational institutions, and any entities using AVideo to deliver video content are particularly at risk. The impact extends to reputational damage, regulatory non-compliance (especially under GDPR if personal data is involved), and potential financial losses due to service downtime or breach remediation costs. Since the vulnerability requires no authentication and is exploitable remotely, the attack surface is broad, especially for publicly accessible AVideo instances. The medium severity rating reflects the moderate but non-trivial risk posed by this information disclosure, which can be a stepping stone for more severe attacks.

1. Upgrade AVideo installations to version 20.0 or later, where this vulnerability is addressed. 2. Restrict access to public API endpoints by implementing network-level controls such as IP whitelisting or VPN access to reduce exposure. 3. Implement web application firewalls (WAFs) to detect and block suspicious API requests that attempt to enumerate or exploit filesystem information. 4. Review and sanitize API responses to ensure that no absolute filesystem paths or sensitive metadata are leaked. 5. Conduct regular security audits and penetration tests focusing on API endpoints to identify and remediate similar information disclosure issues. 6. Monitor logs for unusual access patterns or repeated requests to API endpoints that could indicate reconnaissance activity. 7. Educate development and operations teams about secure coding practices to avoid exposing sensitive system information in responses. 8. If upgrading immediately is not feasible, consider temporary mitigations such as disabling or limiting the affected API endpoints until a patch is applied.