CVE-2025-10472 Overview
A path traversal vulnerability has been identified in harry0703 MoneyPrinterTurbo versions up to 1.2.6. The vulnerability exists within the download_video and stream_video functions located in the app/controllers/v1/video.py file of the URL Handler component. Improper sanitization of the file_path argument allows remote attackers to traverse directories and potentially access sensitive files outside the intended directory structure.
Critical Impact
Remote attackers can exploit this path traversal vulnerability to read arbitrary files from the server by manipulating the file_path parameter, potentially exposing sensitive configuration files, credentials, or other confidential data.
Affected Products
- harry0703 MoneyPrinterTurbo up to version 1.2.6
- All installations with exposed URL Handler component
- Deployments with network-accessible video download/streaming endpoints
Discovery Timeline
- September 15, 2025 - CVE-2025-10472 published to NVD
- November 21, 2025 - Last updated in NVD database
Technical Details for CVE-2025-10472
Vulnerability Analysis
This path traversal vulnerability (CWE-22) affects the video handling functionality in MoneyPrinterTurbo. The vulnerable code resides in app/controllers/v1/video.py, specifically within the download_video and stream_video functions. When processing user-supplied input through the file_path parameter, the application fails to properly validate and sanitize directory traversal sequences such as ../ or encoded variants.
The vulnerability can be exploited remotely without authentication, as the affected URL Handler component processes requests from the network. An attacker can craft malicious requests containing path traversal sequences to break out of the intended video directory and access files elsewhere on the file system. The exploit methodology has been publicly disclosed, increasing the risk of widespread exploitation.
Root Cause
The root cause of this vulnerability is insufficient input validation in the URL Handler component. The file_path parameter passed to the download_video and stream_video functions is not properly sanitized to prevent directory traversal sequences. The application fails to canonicalize paths or validate that the requested file resides within an allowed directory before serving content to users.
Attack Vector
This vulnerability is exploitable over the network without requiring any authentication or user interaction. An attacker can manipulate the file_path parameter in HTTP requests to the video download or streaming endpoints. By including path traversal sequences such as ../ in the request, the attacker can navigate outside the intended video directory and access arbitrary files readable by the web application process.
The attack can be performed through standard HTTP requests to the vulnerable endpoints. For detailed technical analysis of the exploitation technique, refer to the Notion Path Traversal Vulnerability Analysis documentation.
Detection Methods for CVE-2025-10472
Indicators of Compromise
- HTTP requests to /v1/video/ endpoints containing path traversal sequences (../, ..%2f, %2e%2e/)
- Unusual file access patterns in application logs showing requests for files outside the video directory
- Access attempts to sensitive system files such as /etc/passwd, configuration files, or credential stores
- Web server logs showing requests with encoded directory traversal characters
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns
- Monitor HTTP request logs for suspicious file_path parameters with directory navigation sequences
- Deploy intrusion detection signatures that alert on attempts to access system files through web endpoints
- Enable detailed logging for the download_video and stream_video functions to capture malicious requests
Monitoring Recommendations
- Configure alerting for any requests to video endpoints containing .. sequences or URL-encoded equivalents
- Monitor file system access logs for the web application user accessing files outside expected directories
- Review web server access logs regularly for patterns consistent with path traversal exploitation attempts
- Implement anomaly detection for unusual file paths requested through the video controller
How to Mitigate CVE-2025-10472
Immediate Actions Required
- Update MoneyPrinterTurbo to a version newer than 1.2.6 if a patched version is available
- Implement input validation on the file_path parameter to reject directory traversal sequences
- Restrict network access to the vulnerable endpoints using firewall rules or access control lists
- Deploy a web application firewall with rules to block path traversal attack patterns
Patch Information
Organizations running MoneyPrinterTurbo versions up to 1.2.6 should monitor the project repository for security updates. For additional technical details regarding this vulnerability, consult the VulDB advisory and the vulnerability submission details.
Workarounds
- Implement path canonicalization and validation to ensure requested files reside within allowed directories
- Add server-side validation to strip or reject file_path values containing .., ./, or URL-encoded path separators
- Restrict the application's file system permissions to limit readable directories
- Use a whitelist approach for valid video file paths instead of allowing arbitrary user input
- Consider disabling the video download and streaming endpoints if not required for business operations
# Example: Nginx configuration to block path traversal attempts
location /v1/video/ {
# Block requests containing path traversal sequences
if ($request_uri ~* "\.\.") {
return 403;
}
# Additional security headers
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
# Proxy to application
proxy_pass http://127.0.0.1:8000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
