CVE-2026-33024 in AVideo-Encoder
Summary
by MITRE • 03/20/2026
AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability (CWE-918) in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an input source without any authentication requirement. The prior validation only checked that the URL was syntactically valid (FILTER_VALIDATE_URL) and started with http(s)://. This is insufficient: an attacker can supply URLs such as http://169.254.169.254/latest/meta-data/ (AWS/cloud instance metadata), http://192.168.x.x/, or http://127.0.0.1/ to make the server reach internal network resources. The response is not directly returned (blind), but timing differences and error logs can be used to infer results. The issue has been fixed in version 8.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/26/2026
AVideo platform versions prior to 8.0 contain a critical server-side request forgery vulnerability (CWE-918) that affects the public thumbnail endpoints getImage.php and getImageMP4.php. This vulnerability stems from inadequate input validation mechanisms that fail to properly authenticate and sanitize external resource requests. The affected endpoints accept a base64Url GET parameter which is base64-decoded and subsequently passed to ffmpeg as an input source without any additional security checks or authentication requirements. The validation logic only verifies that the URL is syntactically valid using FILTER_VALIDATE_URL and confirms it begins with http(s)://, creating a significant security gap that allows attackers to exploit the system's trust in the input validation process.
The technical flaw manifests through the insufficient validation approach that permits attackers to craft malicious URLs targeting internal network resources. Attackers can supply URLs such as http://169.254.169.254/latest/meta-data/ which provides AWS cloud instance metadata, or internal IP addresses like http://192.168.x.x/ and http://127.0.0.1/ to access sensitive information that should remain protected within the server's internal network boundaries. This vulnerability operates under the principle of blind SSRF where the server makes requests to internal resources but does not directly return the responses, instead relying on timing variations and error log analysis to infer successful exploitation. The attack vector leverages the fact that ffmpeg processes the decoded URLs as legitimate input sources, effectively allowing unauthorized access to internal systems that would normally be protected by network segmentation and firewall rules.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with potential access to internal network resources that could contain sensitive data, system configurations, or additional attack vectors. The blind nature of the vulnerability means that attackers can perform reconnaissance activities without direct response data, making detection more difficult and allowing for prolonged exploitation periods. Timing-based inference techniques can reveal whether specific internal services are accessible, potentially enabling attackers to map internal network topologies and identify additional vulnerable systems. This vulnerability represents a significant risk to organizations relying on AVideo platforms, as it could lead to unauthorized access to internal systems, data breaches, and potential lateral movement within the network infrastructure. The vulnerability affects the platform's core functionality and undermines the security assumptions that typically protect server-side processing operations from external threats.
Organizations using AVideo versions prior to 8.0 should immediately implement mitigation measures including upgrading to version 8.0 or later where the vulnerability has been addressed. The fix involves implementing comprehensive input validation that includes additional checks beyond basic URL syntax verification, such as restricting access to specific domains or IP address ranges, implementing proper authentication mechanisms for external resource access, and adding network segmentation controls to prevent internal resource access. Security measures should also include monitoring for unusual patterns in ffmpeg processing requests, implementing rate limiting for thumbnail generation endpoints, and establishing network-level controls to prevent access to internal IP ranges from the application servers. Organizations should also conduct thorough security assessments of their AVideo implementations to identify any other potential vulnerabilities in related components and ensure that all external resource access follows secure coding practices and adheres to the principle of least privilege. The vulnerability demonstrates the critical importance of proper input validation and the dangers of relying solely on basic syntax checks for security controls.