VideoLAN, a project and a non-profit organization.

Security Bulletin VLC-iOS 3.5.9

Summary           : Vulnerability fixed in VLC media player
Date              : June 2024
Affected versions : VLC-iOS 3.5.7 and earlier
ID                : VideoLAN-SB-VLC-iOS-359


A potential path traversal via the included WiFi File Sharing feature could be used for arbitrary data uploads by malicious parties on the local network to storage locations invisible to the user within the application context.


If successful, a malicious third party could trigger a denial-of-service of the device to due exceeeded storage space or implications of existance of arbitrary data. No read access was possible to third party. No write access outside the application container was possible.

We have not seen exploits through this vulnerability.

The tvOS port of the app was not affected.

Threat mitigation

Exploitation of this issue requires the user to explicitly start WiFi File Sharing on a local network with potential malicious actors.


The user should refrain from enabling WiFi File sharing on local networks with potential malicious actors until the update is installed.


VLC-iOS 3.5.9 addresses the issue.


Reported by Allar Lauk of TalTech University (Estonia)


The VideoLAN project
VLC-iOS GIT repository