Insecure Direct Object Reference in AVideo by WWBN
CVE-2025-34438

5.3MEDIUM

Key Information:

Vendor

World Wide Broadcast Network

Status
Avideo
Vendor
CVE Published:
17 December 2025

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2025-34438?

AVideo prior to version 20.0 is affected by an insecure direct object reference vulnerability, which allows any user with upload permissions to modify the rotation metadata of any video. Although the system verifies the user's ability to upload content, it fails to enforce proper ownership or management rights, leading to potential unauthorized modifications of video attributes.

Affected Version(s)

AVideo 0 < 20.1

References

https://github.com/WWBN/AVideo/commit/4a53ab2056
release-notes
https://github.com/WWBN/AVideo/commit/c2feaf25cb
patch
https://www.vulncheck.com/advisories/avideo-idor-arbirary...
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
JSON
.