AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-2hch-c97c-g99x: AVideo has SSRF Protection Bypass via HTTP Redirect and DNS Rebinding in isSSRFSafeURL()

highvulnerability

security

Source: GitHub Advisory DatabaseMay 5, 2026CVE-2026-43884

Summary

AVideo has two security flaws in how it protects against SSRF attacks (server-side request forgery, where an attacker tricks a server into fetching URLs they control). First, two endpoints validate URLs using `isSSRFSafeURL()` but then use `file_get_contents()` without disabling PHP's automatic redirect-following, allowing an attacker to bypass protection by redirecting to internal addresses like cloud metadata endpoints. Second, six other callers of `isSSRFSafeURL()` ignore the DNS pinning feature (which locks a hostname to one IP address), leaving them vulnerable to DNS rebinding attacks (where an attacker makes a hostname resolve to different IP addresses in quick succession).

Solution / Mitigation

The source describes a safe implementation in `objects/functions.php`, `url_get_contents()`: disable auto-redirect with `['http' => ['follow_location' => 0]]`, manually loop through redirects (max 5 hops), and re-validate each redirect target by calling `isSSRFSafeURL()` on it before following. For DNS rebinding, the source indicates callers should capture and use the `$resolvedIP` out-parameter from `isSSRFSafeURL()` with `CURLOPT_RESOLVE` when fetching, as demonstrated by the one correctly-implemented caller `plugin/LiveLinks/proxy.php`.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Disclosure Date

May 5, 2026

Classification

Attack SophisticationModerate

Affected Packages

wwbn/avideo@<= 29.0

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-2hch-c97c-g99x

First tracked: May 5, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%