Insecure Direct Object Reference Vulnerability in AVideo by WWBN
CVE-2025-34435

8.7HIGH

Key Information:

Vendor

World Wide Broadcast Network

Status
Avideo
Vendor
CVE Published:
17 December 2025

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2025-34435?

AVideo versions prior to 20.0 are susceptible to a vulnerability that allows authenticated users to delete media files belonging to other users. This occurs due to the insecure direct object reference (IDOR) which, although it validates authentication, fails to adequately confirm ownership or the necessary edit permissions for the targeted video files. This oversight can lead to unauthorized deletions, posing a significant risk to user data integrity.

Affected Version(s)

AVideo 0 < 20.1

References

https://github.com/WWBN/AVideo/commit/4a53ab2056
release-notes
https://github.com/WWBN/AVideo/commit/275a54268b
patch
https://www.vulncheck.com/advisories/avideo-idor-arbitrar...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
JSON
.