CVE-2025-34435 – AVideo versions before 20.1 contain an insecure... (How to Fix)

Q: What is the severity of CVE-2025-34435?

CVE-2025-34435 has a CVSS score of 6.5 (MEDIUM). AVideo versions before 20.1 contain an insecure direct object reference (IDOR) vulnerability that allows any authenticated user to delete media files belonging to other users. The vulnerability occurs because the affected endpoint validates authentication but fails to verify ownership or edit permissions for targeted videos. All AVideo installations running vulnerable versions are affected.

📋 TL;DR

AVideo versions before 20.1 contain an insecure direct object reference (IDOR) vulnerability that allows any authenticated user to delete media files belonging to other users. The vulnerability occurs because the affected endpoint validates authentication but fails to verify ownership or edit permissions for targeted videos. All AVideo installations running vulnerable versions are affected.

💻 Affected Systems

Products:

AVideo

Versions: All versions prior to 20.1

Operating Systems: All platforms running AVideo

Default Config Vulnerable: ⚠️ Yes

Notes: All AVideo installations with the vulnerable endpoint are affected regardless of configuration.

📦 What is this software?

Avideo by Wwbn

View all CVEs affecting Avideo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious authenticated users could delete all media files in the system, causing permanent data loss and service disruption.

🟠

Likely Case

Authenticated users deleting specific media files belonging to other users, potentially targeting sensitive or important content.

🟢

If Mitigated

Unauthorized deletions prevented through proper authorization checks, with only legitimate owners able to delete their media.

🌐 Internet-Facing: HIGH - Any internet-facing AVideo instance with user accounts is vulnerable to exploitation.

🏢 Internal Only: MEDIUM - Internal instances still vulnerable to insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. Public details available in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20.1 and later

Vendor Advisory: https://github.com/WWBN/AVideo/commit/275a54268b

Restart Required: No

Instructions:

1. Backup your AVideo installation and database. 2. Update to AVideo version 20.1 or later. 3. Verify the fix by checking that the vulnerable endpoint now validates ownership permissions.

🔧 Temporary Workarounds

Temporary endpoint restriction

all

Temporarily disable or restrict access to the vulnerable media deletion endpoint

# Modify .htaccess or web server config to restrict access to vulnerable endpoint
# Example for Apache: RewriteRule ^path/to/vulnerable/endpoint - [F]

🧯 If You Can't Patch

Implement strict access controls and monitoring for media deletion operations
Regularly backup media files and implement file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check if AVideo version is below 20.1 and test authenticated deletion of another user's media file

Check Version:

Check AVideo configuration or admin panel for version information

Verify Fix Applied:

After updating to 20.1+, test that authenticated users cannot delete media files belonging to other users

📡 Detection & Monitoring

Log Indicators:

Multiple DELETE requests to media endpoints from single user accounts
Failed media deletion attempts with permission errors after patch

Network Indicators:

HTTP DELETE requests to media endpoints with different user IDs

SIEM Query:

source="avideo_logs" AND (http_method="DELETE" AND uri="/path/to/media" AND user_id!=owner_id)

📊 Metadata

CVE ID: CVE-2025-34435

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-639

EPSS Score: 0.06% exploit probability (18.9th percentile)

Published: December 17, 2025

Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34435, you might also want to check these: