CVE-2025-34437

HighPublic PoC

Published: 17 December 2025

Published

17 December 2025

Modified

19 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to resources like video objects, directly addressing the missing ownership checks on the comment image upload endpoint.

AC-6 Least Privilege partial match

prevent

Applies least privilege to restrict authenticated users from uploading to videos they do not own, limiting the scope of unauthorized modifications.

AC-25 Reference Monitor partial match

prevent

Implements a reference monitor to mediate and enforce access control policies on video comment uploads based on ownership.

Security SummaryAI

CVE-2025-34437 is an authorization bypass vulnerability (CWE-639) affecting AVideo versions prior to 20.1. The issue resides in the comment image upload endpoint, which properly validates user authentication but fails to enforce ownership checks on target videos. This allows any authenticated user to upload images to videos belonging to other users, enabling unauthorized modifications to arbitrary video objects. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-17.

An attacker with a low-privilege authenticated account can exploit this remotely over the network with low complexity and no user interaction required. By targeting the vulnerable endpoint, they can upload arbitrary comment images to videos they do not own, potentially leading to high-impact confidentiality, integrity, and availability violations, such as injecting malicious content, defacing videos, or disrupting platform functionality.

Advisories and patch references, including those from VulnCheck and Chocapikk, detail the flaw, while GitHub commits 4a53ab2056 and d411f91805 in the WWBN/AVideo repository provide fixes. Mitigation involves upgrading to AVideo version 20.1 or later, where ownership validation has been added to the endpoint.

Details

CWE(s): CWE-639

Affected Products

wwbn

avideo

≤ 20.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

T1491.002 External Defacement Impact

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing web application (T1190) via authorization bypass, facilitating stored data manipulation (T1565.001) and external defacement (T1491.002) through unauthorized image uploads to arbitrary videos.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
disclosure@vulncheck.com
https://github.com/WWBN/AVideo/commit/4a53ab2056
Patch · disclosure@vulncheck.com
https://github.com/WWBN/AVideo/commit/d411f91805
Patch · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/avideo-idor-arbitrary-comment-image-upload
Third Party Advisory · disclosure@vulncheck.com