AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-c3ch-22rq-xfwr: AVideo CVE-2026-43884 incomplete fix - six (or more) `isSSRFSafeURL()` call sites still discard the `$resolvedIP` out-param at master HEAD post-`603e7bf`

mediumvulnerability

security

Source: GitHub Advisory DatabaseMay 15, 2026CVE-2026-45619

Summary

A previous security fix for CVE-2026-43884 in AVideo was incomplete. The fix patched two files to use a safer URL function, but six or more other parts of the code still don't properly use the `$resolvedIP` parameter (a value returned by the safety check that locks in which server to connect to), leaving the application vulnerable to DNS-rebinding TOCTOU attacks (time-of-check-time-of-use exploits where an attacker changes which IP address a domain points to between when the code checks it and when it actually connects).

Solution / Mitigation

The source text references a correct implementation pattern in `plugin/YPTWallet/YPTWallet.php:1071-1098` that shows how to properly use the `$resolvedIP` out-param with `curl_setopt($ch, CURLOPT_RESOLVE, ...)` for DNS pinning. However, the source does not explicitly state what developers should do to fix the six+ vulnerable call sites.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Disclosure Date

May 15, 2026

Classification

Attack SophisticationModerate

Affected Packages

WWBN/AVideo@<= 29.0

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-c3ch-22rq-xfwr

First tracked: May 15, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%