DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MWJC-5J4X-R686: CVE-2025-34433: Unauthenticated Remote Code Execution via Cryptographic Failures in AVideo

#security #cve #cybersecurity #ghsa

CVE-2025-34433: Unauthenticated Remote Code Execution via Cryptographic Failures in AVideo

Vulnerability ID: GHSA-MWJC-5J4X-R686
CVSS Score: 10.0
Published: 2026-03-20

AVideo platforms version 14.3.1 through 20.0 are vulnerable to an unauthenticated Remote Code Execution (RCE) flaw. The vulnerability arises from a chain of information disclosure, predictable cryptographic salt generation, and an unsafe evaluation sink. An unauthenticated attacker can mathematically derive the internal encryption key and forge authenticated payloads to achieve full system compromise.

TL;DR

An unauthenticated attacker can recover AVideo's cryptographic key via an offline brute-force attack against a leaked, time-based salt. This recovered key allows the forgery of AES-encrypted payloads that are subsequently executed by an unprotected eval() sink.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CVSS v4.0 Score: 10.0
  • Attack Vector: Network
  • Authentication Required: None
  • Exploit Status: Weaponized
  • Vulnerability Type: Remote Code Execution, Cryptographic Failure
  • Affected Components: encrypt_decrypt() fallback, notify.ffmpeg.json.php

Affected Systems

  • AVideo 14.3.1
  • AVideo 20.0
  • AVideo: >= 14.3.1, <= 20.0 (Fixed in: Unpatched)

Mitigation Strategies

  • Remove or restrict access to the /view/admin/notify.ffmpeg.json.php endpoint entirely.
  • Update saltV2 in videos/configuration.php to a long, cryptographically secure random string.
  • Refactor encrypt_decrypt() to permanently remove the legacy $useOldSalt fallback logic.
  • Implement Web Application Firewall (WAF) rules to inspect POST bodies to the FFmpeg notification endpoint.

Remediation Steps:

  1. Identify the affected AVideo installation directory.
  2. Locate the file view/admin/notify.ffmpeg.json.php and either delete it or implement HTTP basic authentication restrictions via web server configuration.
  3. Generate a new 64-character cryptographically random string.
  4. Open videos/configuration.php and replace the existing saltV2 value with the newly generated string.
  5. Monitor access logs for POST requests targeting the notify.ffmpeg.json.php endpoint to identify potential compromise attempts.

References

Read the full report for GHSA-MWJC-5J4X-R686 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)