CVE-2017-9993

HIGH

FFmpeg < 2.8.12, 3.0.x-3.1.8, 3.2.x-3.2.5, 3.3.x-3.3.1 - Arbitrary File Read via Crafted HLS Playlist Data

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-9993. PoCs published by qazbnm456, xbl3.

AI-analyzed exploit summary This repository provides a detailed writeup and references for CVE-2017-9993, a local file disclosure vulnerability in FFmpeg. It includes links to the original HackerOne report, technical discussions, and patches but does not contain functional exploit code.

Description

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

Exploits (2)

github WRITEUP 3,480 stars
by qazbnm456 · poc
https://github.com/qazbnm456/awesome-cve-poc/tree/master/CVE-2017-9993.md

This repository provides a detailed writeup and references for CVE-2017-9993, a local file disclosure vulnerability in FFmpeg. It includes links to the original HackerOne report, technical discussions, and patches but does not contain functional exploit code.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Theoretical
Target: FFmpeg
No auth needed
Prerequisites: FFmpeg installation vulnerable to the issue
devstral-2 · analyzed Feb 27, 2026 Full analysis →
github WRITEUP 14 stars
by xbl3 · poc
https://github.com/xbl3/awesome-cve-poc_qazbnm456/tree/master/CVE-2017-9993.md

This repository provides a detailed writeup and references for CVE-2017-9993, a local file disclosure vulnerability in FFmpeg. It includes links to the original HackerOne report, technical discussions, and patches, but does not contain functional exploit code.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Theoretical
Target: FFmpeg
No auth needed
Prerequisites: FFmpeg installation with vulnerable version
devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3957
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/99315
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/01/msg00006.html

Scores

CVSS v3 7.5
EPSS 0.1644
EPSS Percentile 96.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (3)
debian/debian_linux 8.0
debian/debian_linux 9.0
ffmpeg/ffmpeg < 2.8.12
Published Jun 28, 2017
Tracked Since Feb 18, 2026