CVE-2025-34437
Published: 17 December 2025
Summary
CVE-2025-34437 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wwbn Avideo. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-25 (Reference Monitor).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to resources like video objects, directly addressing the missing ownership checks on the comment image upload endpoint.
Applies least privilege to restrict authenticated users from uploading to videos they do not own, limiting the scope of unauthorized modifications.
Implements a reference monitor to mediate and enforce access control policies on video comment uploads based on ownership.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web application (T1190) via authorization bypass, facilitating stored data manipulation (T1565.001) and external defacement (T1491.002) through unauthorized image uploads to arbitrary videos.
NVD Description
AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.
Deeper analysisAI
CVE-2025-34437 is an authorization bypass vulnerability (CWE-639) affecting AVideo versions prior to 20.1. The issue resides in the comment image upload endpoint, which properly validates user authentication but fails to enforce ownership checks on target videos. This allows any authenticated user to upload images to videos belonging to other users, enabling unauthorized modifications to arbitrary video objects. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-17.
An attacker with a low-privilege authenticated account can exploit this remotely over the network with low complexity and no user interaction required. By targeting the vulnerable endpoint, they can upload arbitrary comment images to videos they do not own, potentially leading to high-impact confidentiality, integrity, and availability violations, such as injecting malicious content, defacing videos, or disrupting platform functionality.
Advisories and patch references, including those from VulnCheck and Chocapikk, detail the flaw, while GitHub commits 4a53ab2056 and d411f91805 in the WWBN/AVideo repository provide fixes. Mitigation involves upgrading to AVideo version 20.1 or later, where ownership validation has been added to the endpoint.
Details
- CWE(s)