CVE-2025-34440 – AVideo versions before 20.1 contain an open red... (How to Fix)

Q: What is the severity of CVE-2025-34440?

CVE-2025-34440 has a CVSS score of 6.1 (MEDIUM). AVideo versions before 20.1 contain an open redirect vulnerability in the user registration process. Attackers can manipulate the siteRedirectUri parameter to redirect users to malicious external websites, enabling phishing attacks. This affects all AVideo installations running vulnerable versions.

📋 TL;DR

AVideo versions before 20.1 contain an open redirect vulnerability in the user registration process. Attackers can manipulate the siteRedirectUri parameter to redirect users to malicious external websites, enabling phishing attacks. This affects all AVideo installations running vulnerable versions.

💻 Affected Systems

Products:

AVideo

Versions: All versions prior to 20.1

Operating Systems: All platforms running AVideo

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable if using affected versions.

📦 What is this software?

Avideo by Wwbn

View all CVEs affecting Avideo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users are redirected to sophisticated phishing sites that steal credentials or deliver malware, leading to account compromise or system infection.

🟠

Likely Case

Attackers use the redirect for phishing campaigns to harvest user credentials or distribute malicious links.

🟢

If Mitigated

With proper user awareness training and browser security settings, impact is limited to potential confusion or minor inconvenience.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking a crafted link) but is technically simple.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20.1

Vendor Advisory: https://github.com/WWBN/AVideo/commit/4a53ab2056

Restart Required: No

Instructions:

1. Backup your AVideo installation. 2. Update to AVideo version 20.1 or later. 3. Verify the patch by checking the commit references.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to reject external URLs in the siteRedirectUri parameter.

Modify user registration handling code to validate redirect URLs against allowed domains only.

🧯 If You Can't Patch

Implement WAF rules to block requests containing external URLs in the siteRedirectUri parameter.
Educate users about phishing risks and advise them to verify URLs before clicking.

🔍 How to Verify

Check if Vulnerable:

Test by attempting to register with a siteRedirectUri parameter pointing to an external domain like https://evil.com.

Check Version:

Check AVideo version in admin panel or via version file in installation directory.

Verify Fix Applied:

After patching, repeat the vulnerable test; the redirect should be blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with siteRedirectUri parameter containing external domains in registration logs.

Network Indicators:

Redirects from AVideo registration page to unexpected external domains.

SIEM Query:

source="avideo_logs" AND "siteRedirectUri" AND (url="*http://*" OR url="*https://*") NOT url="*yourdomain.com*"

📊 Metadata

CVE ID: CVE-2025-34440

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-601

EPSS Score: 0.03% exploit probability (9.1th percentile)

Published: December 17, 2025

Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-34440, you might also want to check these: