Skip to content

AVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation

Moderate severity GitHub Reviewed Published Mar 30, 2026 in WWBN/AVideo • Updated Apr 2, 2026

Package

composer wwbn/avideo (Composer)

Affected versions

<= 26.0

Patched versions

None

Description

Summary

The EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services.

Details

When a user adds or edits a video, the EPG link is stored via objects/videoAddNew.json.php:119:

$obj->setEpg_link($_POST['epg_link']);

The only validation applied is FILTER_VALIDATE_URL, which accepts URLs targeting internal addresses such as http://127.0.0.1, http://169.254.169.254, or http://10.0.0.1.

Later, when the EPG data is parsed, the stored URL is fetched server-side at objects/EpgParser.php:358:

$this->content = @\file_get_contents($this->url);

The file_get_contents() function follows redirects and supports multiple protocols including http://, https://, ftp://, and depending on PHP configuration, php:// and other stream wrappers.

The codebase contains an isSSRFSafeURL() function that validates URLs against internal network ranges, but this function is not invoked anywhere in the EPG link processing path.

Because the URL is stored in the database, every subsequent visit to the EPG page re-triggers the server-side request. This makes the SSRF persistent and repeatable without further attacker interaction.

Proof of Concept

  1. Authenticate as a user with upload permissions.

  2. Create or edit a video and set the EPG link to an internal target:

# Target the cloud metadata service
curl -b "PHPSESSID=USER_SESSION" \
  -X POST "https://your-avideo-instance.com/objects/videoAddNew.json.php" \
  -d "title=Test+Video&epg_link=http://169.254.169.254/latest/meta-data/iam/security-credentials/"
  1. Trigger the EPG parser by visiting the video's EPG page, or wait for the next page load that processes EPG data:
curl -b "PHPSESSID=USER_SESSION" \
  "https://your-avideo-instance.com/plugin/Live/view/Live_schedule/?videos_id=VIDEO_ID"
  1. To scan internal ports, set the EPG link to various internal addresses:
# Scan an internal service
curl -b "PHPSESSID=USER_SESSION" \
  -X POST "https://your-avideo-instance.com/objects/videoAddNew.json.php" \
  -d "title=Test+Video&epg_link=http://127.0.0.1:6379/"
  1. The server fetches the URL via file_get_contents(). Response differences (timing, error messages, or returned content via EPG display) reveal whether internal services are running.

Impact

An authenticated user with upload permissions can force the AVideo server to make HTTP requests to arbitrary internal and external targets. This enables scanning of internal networks, access to cloud instance metadata (potentially exposing IAM credentials on AWS/GCP/Azure), and interaction with internal services that are not intended to be externally accessible. The stored nature of this SSRF means it re-executes on every page visit, amplifying the impact.

  • CWE-918: Server-Side Request Forgery (SSRF)
  • Severity: Medium

Recommended Fix

Add an isSSRFSafeURL() check before the file_get_contents() call at objects/EpgParser.php:355:

if (function_exists('isSSRFSafeURL') && !isSSRFSafeURL($this->url)) {
    throw new \RuntimeException('URL blocked by SSRF protection');
}

This reuses the existing SSRF protection function that is already applied in other code paths.

Found by aisafe.io

References

@DanielnetoDotCom DanielnetoDotCom published to WWBN/AVideo Mar 30, 2026
Published by the National Vulnerability Database Mar 31, 2026
Published to the GitHub Advisory Database Apr 1, 2026
Reviewed Apr 1, 2026
Last updated Apr 2, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(8th percentile)

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

CVE ID

CVE-2026-34740

GHSA ID

GHSA-x5vx-vrpf-r45f

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.