cbcvebase.
CVE-2017-9993
published 2017-06-28

CVE-2017-9993: FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename…

PriorityP355high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
16.44%
96.6th percentile
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianffmpeg< ffmpeg 7:3.2.6-1 (bookworm)ffmpeg 7:3.2.6-1 (bookworm)
ffmpegffmpeg< 2.8.122.8.12
ffmpegffmpeg>= 0 < 7:3.2.6-17:3.2.6-1
ffmpegffmpeg>= 0 < 7:3.2.6-17:3.2.6-1
ffmpegffmpeg>= 0 < 7:3.2.6-17:3.2.6-1
ffmpegffmpeg>= 0 < 7:3.2.6-17:3.2.6-1
ffmpegffmpeg>= 3.0 < 3.1.93.1.9
ffmpegffmpeg>= 3.2 < 3.2.63.2.6
ffmpegffmpeg>= 3.3 < 3.3.23.3.2

Detection & IOCsextracted from sources · hover to see the quote

other#EXTM3U #EXT-X-MEDIA-SEQUENCE:0 #EXTINF:1.0 GOD.txt #EXTINF:1.0 /flag #EXT-X-ENDLIST
urlhttp://35.211.92.233:8001/upload/output1_624e9e5c339b8f5751b84303f9389fb1.m3u8.gif
  • Malicious HLS playlist (m3u8) files containing non-media filename extensions (e.g., .txt) as playlist entries are the exploit vehicle; the trick causes FFmpeg to treat subsequent entries (including arbitrary file paths) as the same type, enabling arbitrary file read.
  • FFmpeg invoked with `-allowed_extensions ALL` is a strong indicator of exploitation enablement for CVE-2017-9993; monitor process execution for this flag combination with m3u8 input files.
  • Uploaded m3u8 playlist files containing plaintext entries referencing local filesystem paths (e.g., /etc/passwd, /flag) should be flagged; the vulnerability allows reading arbitrary local files via crafted playlist data.
  • Output files with double extensions such as .m3u8.gif may indicate exfiltration of file-read results from FFmpeg HLS exploitation; monitor for such output filenames in upload/conversion directories.
  • ·The vulnerability affects FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2; detections should be scoped to these version ranges.
  • ·The exploit requires the attacker to be able to supply a crafted m3u8 playlist to FFmpeg; attack surface is limited to applications that accept user-supplied playlist/m3u8 files and pass them to FFmpeg.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.