Arbitrary File Upload Vulnerability in AVideo by WWBN
CVE-2025-34437

8.7HIGH

Key Information:

Vendor

World Wide Broadcast Network

Status
Avideo
Vendor
CVE Published:
17 December 2025

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2025-34437?

AVideo versions prior to 20.0 have a security flaw that allows any authenticated user to upload comment images to videos belonging to other users. The system effectively validates user authentication but fails to perform essential ownership checks. Consequently, this oversight may enable attackers to exploit the vulnerability and carry out unauthorized uploads targeting arbitrary video content, posing a significant risk to user privacy and data integrity.

Affected Version(s)

AVideo 0 < 20.1

References

https://github.com/WWBN/AVideo/commit/4a53ab2056
release-notes
https://github.com/WWBN/AVideo/commit/d411f91805
patch
https://www.vulncheck.com/advisories/avideo-idor-arbitrar...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
JSON
.