CVE-2025-34434

CriticalPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

19 December 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0027 50.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload…

or delete images associated with any image-based video.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly requires identification and documentation of actions permitted without authentication, preventing unauthenticated file upload and deletion on ImageGallery plugin endpoints.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved authorizations including authentication checks and ownership validation to block unauthorized access to gallery management functions.

AC-6 Least Privilege good match

prevent

Applies least privilege to ensure unauthenticated users have no access to upload or delete images associated with any video gallery.

Security SummaryAI

CVE-2025-34434 is a missing authentication vulnerability (CWE-306) in AVideo versions prior to 20.1 when the ImageGallery plugin is enabled. The plugin's endpoints for managing gallery images fail to enforce authentication checks or validate ownership, enabling unauthenticated file upload and deletion for images associated with any image-based video. Published on 2025-12-17, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical impact on integrity and availability.

Unauthenticated remote attackers can exploit the vulnerable endpoints over the network with low attack complexity and no user interaction required. Successful exploitation allows attackers to upload arbitrary images to any video's gallery or delete existing ones without ownership restrictions, potentially disrupting content availability or enabling further compromise through malicious file uploads.

Advisories from VulnCheck and ChocaPikk detail the issue, while AVideo repository commits 4a53ab2056 and c279999cbd provide the fixes. Mitigation requires upgrading to AVideo version 20.1 or later to address the authentication and validation deficiencies in the ImageGallery plugin.

Details

CWE(s): CWE-306

Affected Products

wwbn

avideo

≤ 20.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Missing authentication enables unauthenticated exploitation of public-facing web application (T1190). Allows arbitrary image/file uploads, facilitating web shell deployment for persistence (T1505.003) and potential further compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
disclosure@vulncheck.com
https://github.com/WWBN/AVideo/commit/4a53ab2056
Patch · disclosure@vulncheck.com
https://github.com/WWBN/AVideo/commit/c279999cbd
Patch · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/avideo-imagegallery-plugin-unauthenticated-file-upload-and-deletion
Third Party Advisory · disclosure@vulncheck.com