GHSA-q4x6-6mm2-crg9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q4x6-6mm2-crg9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-q4x6-6mm2-crg9/GHSA-q4x6-6mm2-crg9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q4x6-6mm2-crg9
- Aliases
-
- CVE-2026-39368
- Published
- 2026-04-08T00:08:42Z
- Modified
- 2026-05-26T18:50:38.163638125Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- WWBN AVideo has a Live restream log callback flow enabling stored SSRF to internal services
- Details
-
Summary
The Live restream log callback flow accepted an attacker-controlled
restreamerURLand later fetched that stored URL server-side, enabling stored SSRF for authenticated streamers.The vulnerable flow allowed a low-privilege user with streaming permission to store an arbitrary callback URL and trigger server-side requests to loopback or internal HTTP services through the restream log feature.
Details
The vulnerable chain was:
plugin/Live/view/getRestream.json.phpexposed a freshtokenForActionplugin/Live/view/Live_restreams/verifyTokenForAction.json.phpexchanged it for a validresponseTokenplugin/Live/view/Live_restreams_logs/add.json.phpaccepted attacker-controlledrestreamerURLplugin/Live/view/getRestream.json.phpandplugin/Live/view/Live_restreams/getAction.json.phplater fetched that stored URL server-side
The original issue existed because the
responseTokenwas accepted, but the callback destination was not tightly constrained to trusted restreamer endpoints.The maintainer confirmed the vulnerability and stated that the fix was applied by validating
restreamerURLat storage time and re-validating the log-entry branch before use. The maintainer also noted that them3u8field follows the same general pattern but is not server-fetched in the current flow.Proof of concept
- Log in as a non-admin user with streaming permission.
- Create a normal restream destination.
- Trigger
plugin/Live/view/Live_restreams/testRestreamer.json.phpto create a live transmission history row. - Call:
GET /plugin/Live/view/getRestream.json.php?live_transmitions_history_id=<id>&restreams_id=<id>- Extract
tokenForActionfrom the returned URL. - Exchange it for
responseTokenvia:
POST /plugin/Live/view/Live_restreams/verifyTokenForAction.json.php- Store a loopback callback URL:
POST /plugin/Live/view/Live_restreams_logs/add.json.php restreamerURL=http://127.0.0.1:9999/index.php- Trigger
getRestream.json.phpagain. - Observe that the returned response now contains the JSON body from the loopback-only service.
Impact
An authenticated streamer can cause the AVideo server to send HTTP requests to loopback or internal services and return the response through normal application endpoints by storing a malicious
restreamerURLin the restream log flow. Because the callback destination was not constrained to trusted restreamer endpoints, the application could be used as a proxy to internal-only services that trust network locality. Successful exploitation can expose local admin panels, internal-only APIs, cloud metadata services if reachable, or other sensitive internal responses available from the application host.Recommended fix
- Validate
restreamerURLagainst explicitly configured restreamer endpoints at storage time - Re-validate the stored callback URL before server-side fetch
- Bind
responseTokento the expected restream row and callback host - Apply SSRF validation to the initial destination of every server-side fetch, not only redirect targets
- Ignore or reject user-supplied callback hosts that do not match trusted configuration
- Database specific
{ "github_reviewed_at": "2026-04-08T00:08:42Z", "severity": "MODERATE", "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "nvd_published_at": "2026-04-07T20:16:30Z" }- References
Affected packages
Packagist / WWBN/AVideo
Package
- Name
- WWBN/AVideo
- Purl
- pkg:composer/WWBN%2FAVideo