DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5X2W-37XF-7962: GHSA-5X2W-37XF-7962: Unauthenticated PGP Decryption and Resource Exhaustion in AVideo

#security #cve #cybersecurity #ghsa

GHSA-5X2W-37XF-7962: Unauthenticated PGP Decryption and Resource Exhaustion in AVideo

Vulnerability ID: GHSA-5X2W-37XF-7962
CVSS Score: 4.8
Published: 2026-03-19

AVideo versions up to and including 25.0 expose a publicly accessible, unauthenticated endpoint that performs server-side PGP decryption. This vulnerability allows an anonymous attacker to submit arbitrary cryptographic workloads to the server, potentially causing resource exhaustion and exposing sensitive private key material in application logs.

TL;DR

An unauthenticated endpoint in AVideo's LoginControl plugin allows arbitrary PGP decryption operations. Attackers can exploit this to consume server CPU resources or expose private keys via system logs.

⚠️ Exploit Status: POC

Technical Details

  • Advisory ID: GHSA-5X2W-37XF-7962
  • CWE ID: CWE-306, CWE-287, CWE-312
  • CVSS v4.0 Score: 4.8 (Medium)
  • Attack Vector: Network
  • Authentication Required: None
  • Exploit Status: Proof of Concept (PoC) Available
  • Vulnerability Impact: Resource Exhaustion (DoS) and Information Exposure
  • Patch Status: Unpatched (as of March 2026)

Affected Systems

  • WWBN/AVideo
  • AVideo: <= 25.0 (Fixed in: Unpatched)

Exploit Details

Mitigation Strategies

  • Implement web server-level access controls to block public routing to the vulnerable endpoint.
  • Apply a manual source code hotfix to introduce session validation before script execution.
  • Sanitize application and WAF logs to prevent cleartext storage of POST request bodies.

Remediation Steps:

  1. Locate the Nginx or Apache configuration file managing the AVideo instance.
  2. Add a block or rewrite rule explicitly denying external access to /plugin/LoginControl/pgp/.
  3. Restart the web server to apply the new configuration directives.
  4. If modifying source code, edit plugin/LoginControl/pgp/decryptMessage.json.php.
  5. Add if (!User::isLogged()) { http_response_code(403); exit; } immediately following the opening PHP tag.

References

Read the full report for GHSA-5X2W-37XF-7962 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)