Description

AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user.

INFO

Published Date :

2025-12-19T15:37:39.775Z

Last Modified :

2025-12-19T19:59:28.384Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2025-34433 vulnerability.

Vendors Products
Wwbn
  • Avideo
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-34433.

URL Resource
https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/ cve-icon cve-icon
https://github.com/WWBN/AVideo/commit/4a53ab2 cve-icon cve-icon
https://github.com/WWBN/AVideo/commit/a2bdbff cve-icon cve-icon
https://www.vulncheck.com/advisories/avideo-unauthenticated-rce-via-predictable-installation-salt cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability