Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-3s9n-wk6w-1qbe
SummaryAVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.
Aliases
0
alias CVE-2025-34441
Fixed_packages
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-34441
reference_id
reference_type
scores
0
value 0.40796
scoring_system epss
scoring_elements 0.97476
published_at 2026-06-13T12:55:00Z
1
value 0.40796
scoring_system epss
scoring_elements 0.97475
published_at 2026-06-14T12:55:00Z
2
value 0.40796
scoring_system epss
scoring_elements 0.97466
published_at 2026-06-11T12:55:00Z
3
value 0.40796
scoring_system epss
scoring_elements 0.97474
published_at 2026-06-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-34441
1
reference_url https://github.com/WWBN/AVideo/commit/1416c517e2
reference_id 1416c517e2
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-17T20:34:09Z/
url https://github.com/WWBN/AVideo/commit/1416c517e2
2
reference_url https://github.com/WWBN/AVideo/commit/4a53ab2056
reference_id 4a53ab2056
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-17T20:34:09Z/
url https://github.com/WWBN/AVideo/commit/4a53ab2056
3
reference_url https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
reference_id avideo-security-vulnerabilities
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-17T20:34:09Z/
url https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
4
reference_url https://www.vulncheck.com/advisories/avideo-user-information-disclosure-via-public-api
reference_id avideo-user-information-disclosure-via-public-api
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-12-17T20:34:09Z/
url https://www.vulncheck.com/advisories/avideo-user-information-disclosure-via-public-api
Weaknesses
0
cwe_id 359
name Exposure of Private Personal Information to an Unauthorized Actor
description The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
Exploits
0
date_added null
description 
This module exploits an unauthenticated remote code execution (RCE) vulnerability
          in AVideo's notify.ffmpeg.json.php endpoint. The vulnerability stems from a critical
          cryptographic weakness in the salt generation mechanism combined with information
          disclosure vulnerabilities that allow an attacker to discover the encryption salt
          through offline bruteforce.

          Root Cause:
          During installation, AVideo generates an encryption salt using PHP's uniqid() function,
          which is not cryptographically secure. uniqid() generates a 13-character hexadecimal
          string composed of: 8 characters for Unix timestamp in hex, and 5 characters for
          microseconds in hex (0x00000 to 0xFFFFF = 1,048,576 possible values).

          Exploit Chain:
          1. Leak installation timestamp from /objects/categories.json.php (public endpoint)
          2. Leak video hashId from /objects/videosAndroid.json.php or /plugin/API/get.json.php
          3. Leak system root path from posterPortraitPath in video API responses
          4. Leak server timezones from /objects/getTimes.json.php
          5. Offline bruteforce of the remaining 5 microsecond characters using hashId comparison
          6. Use recovered salt to encrypt RCE payload for notify.ffmpeg.json.php eval()

          The notify.ffmpeg.json.php endpoint uses decryptString() to decrypt the callback parameter,
          which has a fallback mechanism: if decryption with saltV2 (cryptographically secure) fails,
          it retries with the old uniqid() salt. This fallback makes the RCE exploitable.

          Affected Versions:
          AVideo 14.3.1+ (introduced January 7, 2025). Requires: Fallback mechanism in
          encrypt_decrypt() (introduced January 15, 2024) and notify.ffmpeg.json.php with
          eval($callback) (introduced January 7, 2025).

          Note on v20.0: The vendor removed the posterPortraitPath leak but did NOT remove
          the legacy salt fallback or eval($callback). RCE remains exploitable using SYSTEM_ROOT.

          This vulnerability does not require authentication and can be exploited remotely by any
          attacker who can access the AVideo instance.
required_action null
due_date null
notes 
Stability:
  - crash-safe
Reliability:
  - repeatable-session
SideEffects:
  - ioc-in-logs
known_ransomware_campaign_use false
source_date_published 2025-12-19
exploit_type null
platform Linux,PHP,Unix,Windows
source_date_updated null
data_source Metasploit
source_url https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/avideo_notify_ffmpeg_unauth_rce.rb
Severity_range_score6.9 - 6.9
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-3s9n-wk6w-1qbe