CVE-2025-13876 in HD Video Player All Formats App
Summary
by MITRE • 12/02/2025
A security vulnerability has been detected in Rareprob HD Video Player All Formats App 12.1.372 on Android. Impacted is an unknown function of the component com.rocks.music.videoplayer. The manipulation leads to path traversal. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2026
This vulnerability represents a critical path traversal flaw in the Rareprob HD Video Player application that affects version 12.1.372 on Android platforms. The issue resides within the com.rocks.music.videoplayer component where an unknown function fails to properly validate file paths during media processing operations. Path traversal vulnerabilities occur when applications inadequately sanitize user-supplied input before using it in file system operations, allowing attackers to access files outside the intended directory structure. This specific weakness enables malicious actors to navigate through the file system hierarchy and potentially access sensitive data or system resources that should remain protected.
The exploitation of this vulnerability requires local access to the device, meaning an attacker must already have physical or administrative access to the target system. This local requirement somewhat limits the attack surface compared to remote exploits, but it remains a significant concern for applications that handle user-generated content or media files. The vulnerability's classification aligns with CWE-22, which specifically addresses path traversal or directory traversal attacks. These attacks fall under the broader category of file system manipulation techniques that have been documented in numerous security assessments and incident reports over the years. The fact that this exploit has been publicly disclosed increases the risk profile significantly as it provides threat actors with a ready-made attack vector.
The operational impact of this vulnerability extends beyond simple data access, as it could potentially allow attackers to read system configuration files, access user credentials stored in local databases, or even execute arbitrary code through carefully crafted file paths. Mobile applications that process media files from external sources are particularly vulnerable to such attacks since they often need to handle various file formats and may not implement robust input validation. The attack vector operates through the manipulation of file path parameters during media playback operations, where the application fails to properly sanitize or validate the paths before attempting to access files. This weakness can be exploited to read files from other directories on the device, potentially compromising user privacy and system integrity.
Organizations and users should immediately implement mitigations including updating to the latest version of the application if available, applying security patches from the vendor, and implementing proper input validation controls. System administrators should conduct thorough security assessments of all installed applications and monitor for any suspicious file access patterns. The lack of vendor response to early disclosure attempts creates additional risk as there may be no immediate patch or workaround available. Security frameworks such as ATT&CK's T1059.007 (Command and Scripting Interpreter: JavaScript) and T1566.001 (Phishing: Spearphishing Attachment) could be relevant if attackers leverage this vulnerability as part of broader attack chains. Users should exercise caution when downloading or installing media applications and regularly update their mobile devices to minimize exposure to known vulnerabilities. The vulnerability demonstrates the importance of proper security testing during application development and the necessity of maintaining up-to-date security patches for all software components.