CVE-2022-25216
Description
An absolute path traversal vulnerability allows a remote attacker to download any file on the Windows file system for which the user account running DVDFab 12 Player (recently renamed PlayerFab) has read-access, by means of an HTTP GET request to http://<IP_ADDRESS>:32080/download/<URL_ENCODED_PATH>.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- DVDFab/DVDFab Playerdescription
Patches
Vulnerability mechanics
Root cause
"Missing path validation in the /download endpoint allows absolute path traversal."
Attack vector
An attacker on the same network can send an HTTP GET request to `http://<IP_ADDRESS>:32080/download/<URL_ENCODED_PATH>` [ref_id=1]. The server does not validate or restrict the path supplied by the user, so the attacker can URL-encode an absolute Windows path (e.g., `C%3a%2fwindows%2fsystem.ini`) to read any file the DVDFab Player process has read-access to [ref_id=1]. No authentication is required, and the service listens on port 32080 by default [ref_id=1].
Affected code
The vulnerable endpoint is the HTTP GET handler at `/download/
What the fix does
No patch has been released. The vendor (DVDFab) did not respond to multiple disclosure attempts between December 2021 and February 2022 [ref_id=1]. The advisory recommends that users restrict network access to port 32080 or discontinue use of the product until a fix is available [ref_id=1].
Preconditions
- networkThe DVDFab 12 Player / PlayerFab application must be running with its HTTP media library service listening on port 32080.
- networkThe attacker must have network access to the host on port 32080.
- authNo authentication is required.
Reproduction
`curl "http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.tenable.com/security/research/tra-2022-07mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.