CVE-2025-34434
Published: 17 December 2025
Summary
CVE-2025-34434 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wwbn Avideo. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification and documentation of actions permitted without authentication, preventing unauthenticated file upload and deletion on ImageGallery plugin endpoints.
Mandates enforcement of approved authorizations including authentication checks and ownership validation to block unauthorized access to gallery management functions.
Applies least privilege to ensure unauthenticated users have no access to upload or delete images associated with any video gallery.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication enables unauthenticated exploitation of public-facing web application (T1190). Allows arbitrary image/file uploads, facilitating web shell deployment for persistence (T1505.003) and potential further compromise.
NVD Description
AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload…
more
or delete images associated with any image-based video.
Deeper analysisAI
CVE-2025-34434 is a missing authentication vulnerability (CWE-306) in AVideo versions prior to 20.1 when the ImageGallery plugin is enabled. The plugin's endpoints for managing gallery images fail to enforce authentication checks or validate ownership, enabling unauthenticated file upload and deletion for images associated with any image-based video. Published on 2025-12-17, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H), indicating critical impact on integrity and availability.
Unauthenticated remote attackers can exploit the vulnerable endpoints over the network with low attack complexity and no user interaction required. Successful exploitation allows attackers to upload arbitrary images to any video's gallery or delete existing ones without ownership restrictions, potentially disrupting content availability or enabling further compromise through malicious file uploads.
Advisories from VulnCheck and ChocaPikk detail the issue, while AVideo repository commits 4a53ab2056 and c279999cbd provide the fixes. Mitigation requires upgrading to AVideo version 20.1 or later to address the authentication and validation deficiencies in the ImageGallery plugin.
Details
- CWE(s)