CVE-2025-7896 Overview
CVE-2025-7896 is a path traversal vulnerability [CWE-22] in harry0703 MoneyPrinterTurbo versions up to 1.2.6. The flaw resides in the download_video and delete_video functions within app/controllers/v1/video.py. Attackers can manipulate file path parameters to access or delete files outside the intended directory. The vulnerability is remotely exploitable and requires low-level privileges, with no user interaction needed.
Critical Impact
Remote authenticated attackers can read or delete arbitrary files on the host by traversing the file system through unsanitized path parameters in the video API endpoints.
Affected Products
- harry0703 MoneyPrinterTurbo versions up to and including 1.2.6
- Component: app/controllers/v1/video.py
- Affected functions: download_video and delete_video
Discovery Timeline
- 2025-07-20 - CVE-2025-7896 published to NVD
- 2025-11-20 - Last updated in NVD database
Technical Details for CVE-2025-7896
Vulnerability Analysis
The vulnerability exists in the video controller of MoneyPrinterTurbo, an open-source automation tool for generating short videos. The download_video and delete_video functions in app/controllers/v1/video.py accept file path or identifier parameters from HTTP requests. The application fails to validate or sanitize these inputs before constructing file system paths. Attackers can supply directory traversal sequences such as ../ to escape the intended working directory.
The vulnerability is mapped to CWE-22, Improper Limitation of a Pathname to a Restricted Directory. Successful exploitation grants attackers read access to arbitrary files through download_video and arbitrary file deletion through delete_video. Sensitive resources such as configuration files, credentials, and application source code become accessible. The EPSS score is 0.345% with a percentile of 57.1.
Root Cause
The root cause is the absence of canonicalization and allowlist validation on user-supplied file identifiers. The controller functions concatenate untrusted input directly into file system paths without verifying that the resolved path stays within the designated video storage directory.
Attack Vector
An authenticated remote attacker sends a crafted HTTP request to the video API endpoint. The request includes traversal sequences in the file name parameter to navigate outside the storage directory. The server resolves the path and either returns the file contents or deletes the target file, depending on the endpoint invoked.
No verified public proof-of-concept code is available. See the VulDB entry #317011 for additional technical context.
Detection Methods for CVE-2025-7896
Indicators of Compromise
- HTTP requests to /api/v1/video/download or /api/v1/video/delete containing ../, ..%2f, or URL-encoded traversal sequences
- Access log entries referencing files outside the designated video output directory
- Unexpected deletion of configuration, log, or application files on the host
- Outbound responses containing file contents that do not match expected video MIME types
Detection Strategies
- Inspect web server and reverse proxy logs for traversal patterns targeting the MoneyPrinterTurbo video endpoints
- Deploy web application firewall rules that block path traversal sequences in API path parameters
- Monitor file integrity on directories accessible to the MoneyPrinterTurbo service account
Monitoring Recommendations
- Enable verbose HTTP request logging on the FastAPI application and forward logs to a centralized SIEM
- Alert on file access by the MoneyPrinterTurbo process outside its designated working directory
- Track API authentication events to identify low-privilege accounts probing video endpoints
How to Mitigate CVE-2025-7896
Immediate Actions Required
- Restrict network exposure of MoneyPrinterTurbo to trusted internal networks only
- Run the application under a dedicated unprivileged user account with minimal file system access
- Disable or block the download_video and delete_video endpoints at a reverse proxy until a patch is applied
- Audit existing video storage directories for unauthorized files or deletions
Patch Information
As of the last NVD update on 2025-11-20, no official vendor patch is listed in the available references. Monitor the harry0703 MoneyPrinterTurbo repository for updated releases beyond version 1.2.6 and apply fixes when published.
Workarounds
- Place the application behind a reverse proxy that strips or rejects traversal characters in URL parameters
- Implement a host-level allowlist using filesystem permissions to confine the service account to the video output directory
- Use container isolation with read-only mounts for sensitive directories such as /etc and application configuration paths
- Validate or replace the affected controller functions with logic that canonicalizes paths and verifies containment within the intended directory
# Example nginx configuration to block traversal sequences on video endpoints
location ~ ^/api/v1/video/(download|delete) {
if ($request_uri ~* "(\.\./|\.\.%2f|%2e%2e/)") {
return 403;
}
proxy_pass http://moneyprinterturbo_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

