GHSA-f4f9-627c-jh33

Suggest an improvement
Source
https://github.com/advisories/GHSA-f4f9-627c-jh33
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f4f9-627c-jh33/GHSA-f4f9-627c-jh33.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f4f9-627c-jh33
Aliases
  • CVE-2026-39369
Published
2026-04-08T00:08:44Z
Modified
2026-05-26T18:50:37.829578739Z
Severity
  • 7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
Summary
WWBN AVideo's GIF poster fetch bypasses traversal scrubbing and exposes local files through public media URLs
Details

Summary

objects/aVideoEncoderReceiveImage.json.php allowed an authenticated uploader to fetch attacker-controlled same-origin /videos/... URLs, bypass traversal scrubbing, and expose server-local files through the GIF poster storage path.

The vulnerable GIF branch could be abused to read local files such as /etc/passwd or application source files and republish those bytes through a normal public GIF media URL.

Details

The vulnerable chain was:

  1. objects/aVideoEncoderReceiveImage.json.php accepted attacker-controlled downloadURL_gifimage
  2. traversal scrubbing used str_replace('../', '', ...), which was bypassable with overlapping input such as ....//
  3. same-origin /videos/... URLs were accepted
  4. url_get_contents() and try_get_contents_from_local() resolved the request into a local filesystem read
  5. the fetched bytes were written into the GIF destination
  6. invalid GIF cleanup used the wrong variable, so the non-image payload remained on disk

This made the GIF poster path a local file disclosure primitive with public retrieval.

Proof of concept

  1. Log in as an uploader and create an owned video row through the normal encoder flow.
  2. Send:
POST /objects/aVideoEncoderReceiveImage.json.php
downloadURL_gifimage=https://localhost/videos/....//....//....//....//....//....//etc/passwd
  1. Query:
GET /objects/videos.json.php?showAll=1
  1. Recover the generated GIF URL from videosURL.gif.url.
  2. Download that GIF URL.
  3. Observe that the body matches the target local file, such as /etc/passwd, byte-for-byte.

Impact

An authenticated uploader can read server-local files and republish them through a public GIF media URL by supplying a crafted same-origin /videos/... path to downloadURL_gifimage. Because traversal scrubbing was bypassable and the fetched bytes were written to the GIF destination without effective invalid-image cleanup, successful exploitation allows disclosure of files such as /etc/passwd, readable application source code, or deployment-specific configuration accessible to the application.

Recommended fix

  • Reject any remote image URL whose decoded path contains traversal markers
  • Do not allow attacker-controlled same-origin /videos/... fetches to resolve into local file reads
  • Constrain any local shortcut path handling with realpath() and strict base-directory allowlists
  • Validate GIF content before saving it into public media storage
  • Ensure invalid-image cleanup checks the correct destination path
Database specific 
{
    "github_reviewed_at": "2026-04-08T00:08:44Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-22"
    ],
    "nvd_published_at": "2026-04-07T20:16:31Z",
    "github_reviewed": true
}
References

Affected packages

Packagist / WWBN/AVideo

Package

Name
WWBN/AVideo
Purl
pkg:composer/WWBN%2FAVideo

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
26.0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-f4f9-627c-jh33/GHSA-f4f9-627c-jh33.json"