4Tkd0G

**Name of the Vulnerable Software and Affected Versions** streamlink versions prior to 8.4.0 **Description** Streamlink's HLS and DASH parsers fail to validate the URI scheme of segment entries and other resources. A remote attacker can host a malicious `.m3u8` HLS playlist or `.mpd` DASH manifest that lists local files using the `file:///` scheme. When Streamlink processes such a manifest, it reads the specified local files—such as private keys, credentials, or system files like `/etc/passwd`—and writes their contents to the output stream or file. This occurs because segment URIs are passed to the worker without a scheme allowlist, and the underlying HTTP session accepts `file://` URIs that resolve against the local filesystem. **Recommendations** Update to version 8.4.0 or later. As a temporary workaround, avoid processing HLS playlists or DASH manifests from untrusted or remote sources.