logo

Database

Improper resource allocation - Buffer overflow In wwbn/avideo

Description

AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()

Summary

The getRealIpAddr() function in objects/functions.php trusts user-controlled HTTP headers to determine the client's IP address. An attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging.

Vulnerable Code

File: objects/functions.php

$headers = [
    'HTTP_X_REAL_IP',      
    'HTTP_CLIENT_IP',    
    'HTTP_X_FORWARDED_FOR',
    'REMOTE_ADDR'
];

foreach ($headers as $header) {...

Attack Scenario

    Attacker sends request with forged header:

X-Client-IP: 127.0.0.1

or

X-Real-IP: 192.168.1.1

    getRealIpAddr() returns the forged IP

    Any IP-based rate limiting, access control, or audit log that relies on this function is bypassed

Proof of Concept

curl -H "X-Client-IP: 127.0.0.1" \
     https://target.com/any_endpoint.php

The server now believes the request came from localhost.

Impact

    Bypass IP-based rate limiting

    Bypass IP-based access controls

    Forge audit log entries

    Potential privilege escalation if localhost is trusted

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-336902. NVD-2026-336903. OSV-2026-336904. GHSA-8p2x-5cpm-qrqw5. GCVE-2026-33690

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw2. https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.