A critical Zip Slip vulnerability in Streambert allows malicious archives to overwrite arbitrary files on the user's host system during subtitle extraction.

The application fails to sanitize archive entry filenames during the subtitle extraction process. By crafting a ZIP archive with directory traversal sequences, an attacker can escape the designated extraction directory and write files to restricted areas of the filesystem.

This vulnerability can be leveraged to overwrite system configuration files or place malicious executables in startup directories, leading to persistent local access or full system compromise. The CVSS score of 10.0 underscores the severe risk posed by this lack of input validation.

Immediate Action: Update the Streambert application to version 2.5.0, which includes the necessary sanitization logic to prevent path traversal.

Proactive Monitoring: Monitor the host filesystem for unexpected file modifications or the creation of new files in sensitive directories during the application's runtime.

Compensating Controls: Run the application with the least privilege necessary to limit the potential impact of a successful file write operation if an update cannot be performed immediately.

Public Exploit Available: null

The Zip Slip vulnerability is a well-understood vector for compromise. All users must upgrade to version 2.5.0 immediately to mitigate the risk of arbitrary file writes on their local workstations.