CVE-2026-33480

Name of the Vulnerable Software and Affected Versions AVideo versions up to and including 26.0

Description The isSSRFSafeURL() function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x). The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services. The plugin/LiveLinks/proxy.php endpoint disables authentication, making it exploitable by any anonymous internet user. An attacker can use this to potentially steal cloud credentials, access internal network services, and interact with services bound to localhost. The vulnerability lies in the fact that the IPv4-mapped IPv6 addresses are not checked in either IPv4 or IPv6 check paths within the isSSRFSafeURL() function. Specifically, the function uses regex patterns for IPv4 checks and separate checks for IPv6, but fails to account for the ::ffff:0:0/96 prefix. The vulnerable endpoint makes two requests to the attacker-controlled URL: one using get headers() and another using fakeBrowser() via curl, echoing the response content back to the attacker. A proof-of-concept demonstrates the ability to read AWS instance metadata, access localhost services, and scan internal networks.

Recommendations Replace the manual IPv4/IPv6 blocklist approach in the isSSRFSafeURL() function with PHP’s built-in FILTER FLAG NO PRIV RANGE | FILTER FLAG NO RES RANGE flags to correctly handle all private/reserved ranges, including IPv4-mapped IPv6 addresses.