Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction

Vulnerability

A high-severity Zip Slip vulnerability exists in Streambert's subtitle extraction logic (src/ipc/subtitles.js). The application downloads a ZIP archive and extracts its entries without sanitizing filenames. The destination path is constructed by concatenating the raw archive entry name directly to the temporary directory path: path.join(os.tmpdir(), 'streambert_sub_${Date.now()}_${extracted.name}'). This allows directory traversal sequences (e.g., ../../../../etc/cron.d/malicious) to escape the temporary directory. Affected versions are 2.4.0 and prior [1].

Exploitation

An attacker must host a malicious ZIP archive on an HTTPS server and trick the user into triggering subtitle extraction via the IPC channel get-subtitle-url. The attacker crafts a ZIP with entries containing path traversal sequences. The user executes an IPC invocation (e.g., via Developer Tools) or is tricked into processing a malicious subtitle URL. The application downloads and extracts the archive, writing files to arbitrary locations on the host filesystem subject to the application's write permissions [1].

Impact

Successful exploitation allows arbitrary file write, potentially leading to system compromise. On Windows, an attacker could write a payload to the Startup folder for persistence; on Linux, to cron jobs or other sensitive locations. The impact is high, as it can result in remote code execution or privilege escalation depending on the written file [1].

Mitigation

The vulnerability is fixed in Streambert version 2.5.0, released on 2026-06-16. Users should update to 2.5.0 immediately. No workarounds are mentioned in the available references. The fix likely involves sanitizing archive entry names to prevent path traversal [1][2].