CVE-2025-34441
📋 TL;DR
AVideo versions before 20.1 expose sensitive user information through an unauthenticated public API endpoint. This allows attackers to enumerate users, obtain emails, usernames, administrative status, and last login times without authentication. All AVideo installations running vulnerable versions are affected.
💻 Affected Systems
- AVideo
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers harvest all user data including admin emails, enabling targeted phishing, credential stuffing, and potential account takeover leading to full system compromise.
Likely Case
User enumeration and privacy violations, enabling targeted attacks against administrators and regular users through harvested email addresses and login patterns.
If Mitigated
Limited to reconnaissance only if strong authentication, rate limiting, and network segmentation prevent follow-on attacks.
🎯 Exploit Status
Simple HTTP GET request to the vulnerable endpoint; trivial to automate for mass data collection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.1
Vendor Advisory: https://github.com/WWBN/AVideo/commit/1416c517e2
Restart Required: No
Instructions:
1. Update AVideo to version 20.1 or later. 2. Apply the security patches from GitHub commits 1416c517e2 and 4a53ab2056. 3. Verify the API endpoint now requires proper authentication.
🔧 Temporary Workarounds
Block Unauthenticated API Access
allUse web server configuration to block access to the vulnerable API endpoint for unauthenticated users.
# For Apache: add to .htaccess
<Location "/api">
Require valid-user
</Location>
# For Nginx: add to server block
location /api {
auth_basic "Restricted";
auth_basic_user_file /path/to/.htpasswd;
}
Network Access Control
linuxRestrict access to the AVideo instance using firewall rules or network segmentation.
# Example iptables rule to restrict to internal network
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate AVideo from untrusted networks.
- Deploy a WAF with rules to block unauthenticated API requests and monitor for enumeration attempts.
🔍 How to Verify
Check if Vulnerable:
Send an unauthenticated GET request to the AVideo API endpoint (e.g., /api/user/list) and check if user data is returned without authentication.Check Version:
Check the AVideo version in the admin panel or via the web interface.Verify Fix Applied:
After patching, attempt the same unauthenticated request; it should return an authentication error or no sensitive data.📡 Detection & Monitoring
Log Indicators:
- Multiple unauthenticated requests to /api/user/* endpoints
- High volume of requests from single IPs to user enumeration endpoints
Network Indicators:
- Unusual traffic patterns to API endpoints without authentication headers
- External IPs accessing sensitive API endpoints
SIEM Query:
source="avideo.logs" AND uri="/api/user/*" AND NOT auth_status="authenticated" | stats count by src_ip