CVE-2025-34436

HighPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

19 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved access authorizations, directly preventing IDOR by requiring ownership verification before allowing file uploads to user directories.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of information inputs such as manipulated directory references in upload requests to ensure they belong to the authenticated user.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege, limiting authenticated users to access only their own directories and reducing the impact of missing ownership checks.

Security SummaryAI

CVE-2025-34436 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-639, affecting AVideo versions prior to 20.1. The flaw exists in the platform's upload functionality, which authenticates users but fails to enforce ownership checks on target directories. This allows any authenticated user to upload files into directories belonging to other users. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity.

An attacker with a low-privilege authenticated account (PR:L) can exploit this vulnerability over the network (AV:N) without user interaction. By manipulating object references in upload requests, they can place arbitrary files in other users' directories, potentially leading to high-impact confidentiality breaches (e.g., overwriting sensitive data), integrity violations (e.g., injecting malicious code), and availability disruptions (e.g., filling storage). No elevation beyond the initial privileges is required, as scope remains unchanged.

Advisories from sources like VulnCheck and Chocapikk detail the issue, while GitHub commits 4a53ab2056 and c279999cbd in the WWBN/AVideo repository provide fixes. Mitigation involves upgrading to AVideo version 20.1 or later, where ownership verification has been added to the upload process, preventing unauthorized directory access.

Details

CWE(s): CWE-639

Affected Products

wwbn

avideo

≤ 20.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

IDOR in public-facing AVideo upload functionality enables exploitation of a public-facing application (T1190) and facilitates uploading arbitrary files, including potential web shells (T1505.003), to unauthorized directories for code injection.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
disclosure@vulncheck.com
https://github.com/WWBN/AVideo/commit/4a53ab2056
Patch · disclosure@vulncheck.com
https://github.com/WWBN/AVideo/commit/c279999cbd
Patch · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/avideo-idor-arbitrary-file-upload
Third Party Advisory · disclosure@vulncheck.com