AVideo SSRF Vulnerability via IPv4-Mapped IPv6 Bypass (CVE-2026-33480)
AVideo versions up to 26.0 are vulnerable to server-side request forgery (SSRF) due to a bypass in the `isSSRFSafeURL()` function, allowing unauthenticated attackers to access internal resources.
AVideo, an open-source video platform, is vulnerable to a Server-Side Request Forgery (SSRF) attack. Specifically, versions up to and including 26.0 contain a flaw in the isSSRFSafeURL() function. This function, intended to prevent SSRF attacks, can be bypassed using IPv4-mapped IPv6 addresses (e.g., ::ffff:x.x.x.x). The vulnerability is located in the plugin/LiveLinks/proxy.php endpoint, which lacks proper authentication. An attacker can exploit this to make arbitrary HTTP requests to internal resources, cloud metadata endpoints, and localhost services. This issue was addressed in commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373. The CVSS v3.1 score is 8.6, indicating a high level of severity.
Attack Chain
- An attacker identifies an AVideo instance running a vulnerable version (<= 26.0).
- The attacker crafts a malicious URL using an IPv4-mapped IPv6 address, such as
::ffff:127.0.0.1. - The attacker sends an HTTP request to the
plugin/LiveLinks/proxy.phpendpoint, providing the malicious URL as a parameter. - The
isSSRFSafeURL()function fails to properly validate the IPv4-mapped IPv6 address. - The
proxy.phpscript uses curl (or a similar function) to fetch the content from the attacker-controlled URL. - The curl request is sent to the target specified within the IPv6-mapped address (e.g., localhost).
- The attacker gains access to sensitive information from internal services, cloud metadata, or localhost.
- The attacker may further exploit accessed services or exfiltrate data depending on the internal resources exposed.
Impact
Successful exploitation of this SSRF vulnerability allows unauthenticated attackers to read sensitive information from internal services, cloud metadata endpoints, and localhost services. This can lead to the disclosure of API keys, configuration files, internal network layouts, and potentially allow further exploitation of other internal systems. The lack of authentication on the affected endpoint greatly increases the potential for widespread abuse, particularly in cloud environments where metadata services are readily accessible.
Recommendation
- Apply the patch from commit 75ce8a579a58c9d4c7aafe453fbced002cb8f373 to remediate CVE-2026-33480.
- Monitor web server logs for requests to the
plugin/LiveLinks/proxy.phpendpoint containing IPv4-mapped IPv6 addresses using the provided Sigma rule. - Implement network segmentation and firewall rules to restrict access from the AVideo server to internal resources to mitigate the impact of successful SSRF attacks.
Detection coverage 2
Detect AVideo SSRF Attempt via IPv6-Mapped Address
criticalDetects requests to the vulnerable proxy.php endpoint with IPv4-mapped IPv6 addresses.
Detect AVideo SSRF Attempt via Proxy Access
highDetects requests through the proxy.php endpoint accessing internal IP ranges.
Detection queries are available on the platform. Get full rules →