How severe is GHSA-5x2w-37xf-7962?

No CVSS score has been assigned to GHSA-5x2w-37xf-7962 yet. Review the advisory details and affected package list to assess your exposure.

Which packages are affected by GHSA-5x2w-37xf-7962?

GHSA-5x2w-37xf-7962 affects the following packages: wwbn/avideo (Packagist). Ecosystems affected: Packagist.

How do I fix GHSA-5x2w-37xf-7962?

No patched version of wwbn/avideo has shipped for GHSA-5x2w-37xf-7962 yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.

How do I detect GHSA-5x2w-37xf-7962 in my Packagist dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for wwbn/avideo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-5x2w-37xf-7962 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-5x2w-37xf-7962?

O3 pinpoints whether GHSA-5x2w-37xf-7962 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-5x2w-37xf-7962 actively exploited in the wild?

No public exploit code has been indexed for GHSA-5x2w-37xf-7962 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-5x2w-37xf-7962 published, and has it been updated?

GHSA-5x2w-37xf-7962 was published on March 19, 2026 and was last updated on March 19, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐘 Packagist

GHSA-5x2w-37xf-7962

AVideo has Unauthenticated PGP Message Decryption via Public Endpoint

Published

Mar 19, 2026

Updated

Mar 19, 2026

Affected

1 pkg

Patched

None yet

Exploits

None indexed

Blast Radius

1 pkg affected

🐘wwbn/avideo

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The AVideo platform exposes a publicly accessible endpoint that performs server-side PGP decryption without requiring any form of authentication. Any anonymous user can submit a private key, ciphertext, and passphrase to the endpoint and receive the decrypted plaintext in the JSON response. This functionality is entirely unprotected, meaning no session, token, or credential is needed to invoke it.

Details

The endpoint at decryptMessage.json.php accepts a JSON body containing three user-supplied fields: a private key, an encrypted message, and a key password. The server passes these directly into a decryption routine and returns the result. There is no call to any authentication or session validation function before this operation is performed. The relevant server-side operation is:

$textDecrypted = decryptMessage($obj->textToDecrypt, $obj->privateKeyToDecryptMsg, $obj->keyPassword);

Because no access control exists, any unauthenticated request that reaches this endpoint will be processed. The primary concerns are exposure of private key material to server memory and logging infrastructure, and unconstrained consumption of server CPU resources for cryptographic operations. An attacker who has obtained a private key and matching ciphertext through other means can offload decryption work to the target server without holding any account on the platform.

PoC

curl -s -X POST \
  "https://target.example.com/plugin/LoginControl/pgp/decryptMessage.json.php" \
  -H "Content-Type: application/json" \
  -d '{
    "textToDecrypt": "-----BEGIN PGP MESSAGE-----\n<base64_ciphertext>\n-----END PGP MESSAGE-----",
    "privateKeyToDecryptMsg": "-----BEGIN PGP PRIVATE KEY BLOCK-----\n<base64_private_key>\n-----END PGP PRIVATE KEY BLOCK-----",
    "keyPassword": "passphrase"
  }'

Impact

Private key material submitted to this endpoint is processed in server memory and may be captured in application logs, web server access logs, or error logs depending on server configuration. This can result in unintended disclosure of sensitive key material to administrators or anyone with log access. Additionally, the lack of any rate limiting combined with the absence of authentication allows any external party to submit large volumes of decryption requests, consuming server CPU resources without restriction. Any user who can reach the endpoint network-layer can trigger these effects.

Mitigation

A User::isLogged() check, or an equivalent session and authentication validation step, should be added at the top of decryptMessage.json.php before any user-supplied input is processed. Decryption operations should only be permitted for authenticated and authorized users. Server logging configuration should also be reviewed to ensure that POST body contents, including key material, are not written to persistent logs.

Affected Packages

1 total

Ecosystem	Package	Vulnerable range	Fix
🐘Packagist	`wwbn/avideo`	all versions	No fix

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for wwbn/avideo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of wwbn/avideo has shipped for GHSA-5x2w-37xf-7962 yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-5x2w-37xf-7962 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-5x2w-37xf-7962. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary The AVideo platform exposes a publicly accessible endpoint that performs server-side PGP decryption without requiring any form of authentication. Any anonymous user can submit a private key, ciphertext, and passphrase to the endpoint and receive the decrypted plaintext in the JSON response. This functionality is entirely unprotected, meaning no session, token, or credential is needed to invoke it. ### Details The endpoint at decryptMessage.json.php accepts a JSON body containing three user-supplied fields: a private key, an encrypted message, and a key password. The server passe

O3 Security · Impact-Aware SCA

Is GHSA-5x2w-37xf-7962 in your dependencies?

O3 detects GHSA-5x2w-37xf-7962 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works