AVideo, Missing Authentication Vulnerability, CVE-2025-XXXXX (Medium)

Listen to this Post

The vulnerability exists in the `check.ffmpeg.json.php` endpoint, which is part of the AVideo platform’s API. This endpoint is designed to check the connectivity and configuration of a remote FFmpeg server. However, it lacks any form of authentication or access control checks. The endpoint’s code directly includes the configuration file and returns the result of a function call (testFFMPEGRemote()) as JSON. Unlike other FFmpeg management endpoints (e.g., kill.ffmpeg.json.php, list.ffmpeg.json.php, ffmpeg.php), which require administrative privileges, `check.ffmpeg.json.php` does not perform any user verification. This oversight allows any unauthenticated user to probe the FFmpeg remote server configuration and obtain its connectivity status, potentially revealing sensitive information about the platform’s encoding infrastructure.

DailyCVE Form

Platform: AVideo
Version: All versions prior to 20.1
Vulnerability: Missing authentication
Severity: Medium
Date: 2025-12-17

Prediction: Expected patch date is 2025-12-19

What Undercode Say:

The following bash commands and code snippets illustrate how to identify and exploit this vulnerability, as well as implement a fix.

Bash Command to Test the Vulnerability:

curl "https://your-avideo-instance.com/plugin/API/check.ffmpeg.json.php"

This command returns a JSON object containing information about the FFmpeg remote server’s status and configuration.

PHP Code for the Vulnerable Endpoint:

<?php
$configFile = <strong>DIR</strong>.'/../../videos/configuration.php';
require_once $configFile;
header('Content-Type: application/json');
$obj = testFFMPEGRemote();
die(json_encode($obj));

The code lacks any authentication checks, such as `User::isAdmin()` or User::isLogged().

How Exploit:

An attacker can exploit this vulnerability by sending a simple GET request to the vulnerable endpoint. The attacker does not need any credentials or prior knowledge. The endpoint will respond with a JSON payload that reveals the status of the FFmpeg remote server. This information can be used for reconnaissance to plan further attacks, such as targeting the FFmpeg server directly or chaining this information with other vulnerabilities.

Protection from this CVE:

To protect against this vulnerability, an authentication check should be added to the `check.ffmpeg.json.php` endpoint. The recommended fix is to insert the following code after the `require_once` line:

if (!User::isAdmin()) {
forbiddenPage('Admin only');
}

This ensures that only authenticated administrators can access the endpoint. Alternatively, administrators can apply a web server configuration to restrict access to the endpoint based on IP addresses or other criteria.

Impact:

The primary impact of this vulnerability is infrastructure reconnaissance. By accessing the endpoint, an attacker can determine whether the platform uses a standalone FFmpeg server and its current reachability. This information can aid in targeted attack planning, such as exploiting potential weaknesses in the FFmpeg server or using the FFmpeg server as a pivot point for further attacks. While the direct impact is limited, it significantly reduces the attacker’s effort in mapping the target’s infrastructure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top