logo

Database

Server-side request forgery (SSRF) In wwbn/avideo

Description

WWBN AVideo has an incomplete fix for CVE-2026-33039: SSRF

Summary

The incomplete SSRF fix in AVideo's LiveLinks proxy adds isSSRFSafeURL() validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints.

Affected Package

    Ecosystem: Other

    Package: AVideo

    Affected versions: < commit 0e56382921fc71e64829cd1ec35f04e338c70917

    Patched versions: >= commit 0e56382921fc71e64829cd1ec35f04e338c70917

Details

The plugin/LiveLinks/proxy.php endpoint proxies live stream URLs. The fix adds isSSRFSafeURL() check on the initial URL, redirect URL validation, and follow_location=0 in the get_headers() context. However, multiple DNS TOCTOU vulnerabilities remain.

For the initial URL, isSSRFSafeURL() resolves DNS once for validation, but get_headers() resolves DNS again independently. A DNS rebinding attack with TTL=0 returns a safe external IP for the first resolution and an internal IP for the second.

The same TOCTOU exists for redirect URLs: isSSRFSafeURL() validates the redirect target (first resolution returns a safe IP), then fakeBrowser() makes the actual request (second resolution returns an internal IP).

Additionally, even with follow_location=0, get_headers() still sends an HTTP request that can probe internal services via DNS rebinding, and multiple Location headers in a response cause filter_var() to receive an array instead of a string, resulting in a fall-through to the else branch.

PoC

#!/usr/bin/env python3
"""
CVE-2026-33039 - AVideo LiveLinks Proxy SSRF via DNS Rebinding
"""

import re
import sys
...

Steps to reproduce:

    Run python3 poc.py.

    Observe that all three DNS rebinding bypass vectors succeed.

Expected output:

VULNERABILITY CONFIRMED
DNS TOCTOU bypass vectors succeed on initial URL, redirect URL, and get_headers() side-effect paths.

Impact

DNS rebinding allows an attacker to bypass SSRF validation and make the server send requests to internal services, cloud metadata endpoints, and other protected resources.

Suggested Remediation

Pin DNS resolution: resolve the hostname once, validate the IP, and use the resolved IP for the actual request via CURLOPT_RESOLVE or equivalent. Remove the get_headers() call. Block redirects entirely or re-validate using pinned DNS after each redirect.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. CVE-2026-410552. NVD-2026-330393. NVD-2026-410554. OSV-2026-410555. GHSA-793q-xgj6-7frp6. GHSA-9x67-f2v7-63rw7. GCVE-2026-41055

References

1. https://github.com/WWBN/AVideo/security/advisories/GHSA-793q-xgj6-7frp2. https://github.com/WWBN/AVideo/security/advisories/GHSA-9x67-f2v7-63rw3. https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c709174. https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-GI0IB – Vulnerability | Fluid Attacks Database