GHSA-hgqw-6m45-hw5f

Suggest an improvement
Source
https://github.com/advisories/GHSA-hgqw-6m45-hw5f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hgqw-6m45-hw5f/GHSA-hgqw-6m45-hw5f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hgqw-6m45-hw5f
Aliases
  • CVE-2026-44353
Published
2026-05-11T14:28:30Z
Modified
2026-05-11T14:46:42.646024Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Streamlink has an arbitrary local file read via file:// URI in HLS and DASH
Details

Summary

Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream.

Confirmed on streamlink 8.3.0 (latest release at time of report).

Description

Segment URIs from an HLS playlist or DASH manifest are passed to the worker without any scheme check. The underlying HTTP session accepts file:// URIs, which resolve against the local filesystem. There is no scheme allowlist at the parser level, so any path readable by the streamlink process is treated as a valid segment.

The attacker does not need local access to the victim. A playlist/manifest hosted on an attacker-controlled server, fetched by streamlink on the victim's machine, is enough to trigger the read.

Impact

A remote attacker hosting a malicious playlist/manifest can make any client running streamlink against that URL read arbitrary local files within the streamlink process's read scope and write them into the output file.

Reachable files depend on the user running streamlink. Typical targets: ~/.ssh/id_* private keys, ~/.aws/credentials, shell history, application config files holding API tokens, and world-readable system files like /etc/passwd.

Affected scenarios

  • Server-side or automated deployments (recording bots, media pipelines, CI jobs processing playlists). The output file is often uploaded, logged, or otherwise exposed, which gives direct disclosure to attacker-reachable locations.
  • Interactive desktop use. File contents land on the victim's disk and can leak through secondary channels: the user sharing the recording, cloud sync, backup, etc.

This bug does not on its own send file contents back to the attacker. The disclosure goes to the output sink. Full exfiltration depends on what happens to that file afterward.

Steps to reproduce

Tested on streamlink 8.3.0, Linux (Kali).

  1. Save as playlist.m3u8:

    #EXTM3U
#EXT-X-VERSION:3
#EXT-X-TARGETDURATION:5
#EXT-X-PLAYLIST-TYPE:VOD
#EXTINF:5.0,
file:///etc/passwd
#EXT-X-ENDLIST

  2. Host the playlist on a remote server reachable by the victim. For testing, a VPS, a tunnel (cloudflared, ngrok), or a static host like GitHub Pages all work.

  3. On the victim machine:

    streamlink "hls://https://attacker-host.example/playlist.m3u8" best -o /tmp/proof.ts

  4. Inspect the output:

    cat /tmp/proof.ts

  5. The output contains the contents of /etc/passwd from the machine running streamlink.

Local reproduction (equivalent, simpler to set up):

python3 -m http.server 8080    # in directory containing playlist.m3u8
streamlink "hls://http://127.0.0.1:8080/playlist.m3u8" best -o /tmp/proof.ts
cat /tmp/proof.ts

The remote case was confirmed independently using a tunnel.

Proposed remediation

Allowlist http and https for segment URIs in the HLS parser. Reject any other scheme (file, ftp, data, etc.) at parse time, before the URI reaches the fetcher.

The check needs to cover:

  • Segment URIs in the top-level manifest.
  • Segment URIs in nested manifests pulled during playback (variant playlists referenced from a master playlist).
  • Other URI fields the fetcher consumes — #EXT-X-KEY and #EXT-X-MAP URIs at minimum. Worth auditing the rest for the same issue.

The check belongs in the parser, not the fetcher. Putting it next to the untrusted input means downstream callers don't each need to re-implement it, and any future fetcher path inherits the protection by default.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:28:30Z",
    "cwe_ids": [
        "CWE-73"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}
References

Affected packages

PyPI / streamlink

Package

Name
streamlink
View open source insights on deps.dev
Purl
pkg:pypi/streamlink

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.4.0

Affected versions

0.*
0.0.1
0.0.2
0.1.0
0.2.0
0.3.0
0.3.1
0.3.2
0.4.0
0.5.0
0.6.0
0.7.0
0.8.1
0.9.0
0.10.0
0.11.0
0.12.0
0.12.1
0.13.0
0.14.0
0.14.2
1.*
1.0.0
1.1.0
1.1.1
1.2.0
1.3.0
1.3.1
1.4.0
1.4.1
1.5.0
1.6.0
1.7.0
2.*
2.0.0
2.1.0
2.1.1
2.1.2
2.2.0
2.3.0
2.4.0
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.1.0
3.1.1
3.2.0
4.*
4.0.0
4.0.1
4.1.0
4.2.0
4.3.0
5.*
5.0.0
5.0.1
5.1.0
5.1.1
5.1.2
5.2.1
5.3.0
5.3.1
5.4.0
5.5.0
5.5.1
6.*
6.0.0
6.0.1
6.1.0
6.2.0
6.2.1
6.3.0
6.3.1
6.4.0
6.4.1
6.4.2
6.5.0
6.5.1
6.6.0
6.6.1
6.6.2
6.7.0
6.7.1
6.7.2
6.7.3
6.7.4
6.8.0
6.8.1
6.8.2
6.8.3
6.9.0
6.10.0
6.11.0
7.*
7.0.0
7.1.0
7.1.1
7.1.2
7.1.3
7.2.0
7.3.0
7.4.0
7.5.0
7.6.0
8.*
8.0.0
8.1.0
8.1.1
8.1.2
8.2.0
8.2.1
8.3.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hgqw-6m45-hw5f/GHSA-hgqw-6m45-hw5f.json"
last_known_affected_version_range 
"<= 8.3.0"