PatchSiren cyber security CVE debrief

CVE-2017-5982 Kodi CVE debrief

CVE-2017-5982 is a high-severity directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi. A remote attacker can use a crafted encoded image path to escape the intended directory and read arbitrary local files, including sensitive system files. NVD classifies the issue as CWE-22 and assigns CVSS 3.0 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Vendor: Kodi
Product: CVE-2017-5982
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-28
Original CVE updated: 2026-05-13
Advisory published: 2017-02-28
Advisory updated: 2026-05-13

Who should care

Kodi users and administrators, especially anyone running the Chorus2 2.4.2 add-on; distro and appliance maintainers that package Kodi add-ons; defenders responsible for systems where local file confidentiality matters.

Technical summary

The vulnerability is an encoded-path directory traversal in the add-on's image handling. The supplied CVE description shows that a remote request containing an encoded dot-dot traversal sequence can bypass path normalization and disclose files outside the intended image path. The impact is confidentiality-only: arbitrary file read, not code execution or integrity loss, per the supplied CVSS vector and CVE description.

Defensive priority

High for any environment that still has the affected add-on installed or reachable. Because the issue is remotely triggerable and exposes local files without authentication, it should be treated as a prompt removal or replacement candidate until a fixed package is confirmed.

Recommended defensive actions

Verify whether Chorus2 2.4.2 is installed in any Kodi deployment and remove or disable it if it is not strictly required.
Apply a vendor or distribution fix if one is available; otherwise uninstall the affected add-on and replace it with a maintained alternative.
Review access logs for requests that contain encoded traversal patterns or unexpected image-path requests.
Minimize the privileges and readable files available to the Kodi runtime account so that a successful read-only flaw exposes less sensitive data.
Check downstream package advisories, including distribution security announcements, for any backported fixes or maintained package updates.

Evidence notes

This debrief is based on the supplied CVE record and NVD metadata. The CVE was published on 2017-02-28 and last modified in NVD on 2026-05-13. NVD lists the affected CPE as kodi:kodi:17.1, maps the weakness to CWE-22, and provides the CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vendor/product attribution in the supplied data is based on NVD CPE mapping and should be treated with medium confidence.

Official resources

CVE-2017-5982 CVE record
CVE.org
CVE-2017-5982 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry

Publicly disclosed in the CVE record on 2017-02-28; the supplied NVD metadata was last modified on 2026-05-13. No CISA KEV listing is present in the supplied data.