{"dataType":"CVE_RECORD","cveMetadata":{"cveId":"CVE-2025-34158","assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","state":"PUBLISHED","assignerShortName":"mitre","dateReserved":"2025-04-15T19:15:22.565Z","datePublished":"2025-08-21T13:43:30.032Z","dateUpdated":"2026-01-02T15:56:59.792Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Media Server","vendor":"Plex","versions":[{"lessThan":"1.42.1","status":"affected","version":"1.41.7.x","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:plex:media_server:*:*:*:*:*:*:*:*","versionStartIncluding":"1.41.7.x","versionEndExcluding":"1.42.1"}]}]}],"credits":[{"lang":"en","type":"finder","value":"Luis Finke"}],"descriptions":[{"lang":"en","value":"Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres because /myplex/account provides the credentials of the server owner (and a /api/resources call reveals other servers accessible by that server owner)."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-669","description":"CWE-669 Incorrect Resource Transfer Between Spheres","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre","dateUpdated":"2026-01-02T15:56:59.792Z"},"references":[{"url":"https://www.plex.tv/media-server-downloads/"},{"url":"https://forums.plex.tv/t/plex-media-server-security-update/928341"},{"url":"https://www.bleepingcomputer.com/news/security/plex-warns-users-to-patch-security-vulnerability-immediately/"},{"url":"https://www.runzero.com/blog/plex/"},{"url":"https://www.tenable.com/plugins/nessus/250294"},{"url":"https://www.vulncheck.com/advisories/plex-media-server-unspecified"},{"url":"https://github.com/lufinkey/vulnerability-research/tree/main/CVE-2025-34158"},{"url":"https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md"}],"x_generator":{"engine":"enrichogram 0.0.1"},"metrics":[{"cvssV3_1":{"version":"3.1","baseScore":8.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"}}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-08-28T19:17:50.481204Z","id":"CVE-2025-34158","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-08-28T19:18:55.994Z"}}]},"dataVersion":"5.2"}