CVE-2025-34436
Published: 17 December 2025
Summary
CVE-2025-34436 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved access authorizations, directly preventing IDOR by requiring ownership verification before allowing file uploads to user directories.
SI-10 requires validation of information inputs such as manipulated directory references in upload requests to ensure they belong to the authenticated user.
AC-6 enforces least privilege, limiting authenticated users to access only their own directories and reducing the impact of missing ownership checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing AVideo upload functionality enables exploitation of a public-facing application (T1190) and facilitates uploading arbitrary files, including potential web shells (T1505.003), to unauthorized directories for code injection.
NVD Description
AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.
Deeper analysisAI
CVE-2025-34436 is an insecure direct object reference (IDOR) vulnerability, classified under CWE-639, affecting AVideo versions prior to 20.1. The flaw exists in the platform's upload functionality, which authenticates users but fails to enforce ownership checks on target directories. This allows any authenticated user to upload files into directories belonging to other users. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low complexity.
An attacker with a low-privilege authenticated account (PR:L) can exploit this vulnerability over the network (AV:N) without user interaction. By manipulating object references in upload requests, they can place arbitrary files in other users' directories, potentially leading to high-impact confidentiality breaches (e.g., overwriting sensitive data), integrity violations (e.g., injecting malicious code), and availability disruptions (e.g., filling storage). No elevation beyond the initial privileges is required, as scope remains unchanged.
Advisories from sources like VulnCheck and Chocapikk detail the issue, while GitHub commits 4a53ab2056 and c279999cbd in the WWBN/AVideo repository provide fixes. Mitigation involves upgrading to AVideo version 20.1 or later, where ownership verification has been added to the upload process, preventing unauthorized directory access.
Details
- CWE(s)