CVE-2026-33024: Wwbn Avideo-encoder SSRF Vulnerability

CVE-2026-33024 Overview

CVE-2026-33024 is a critical Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting AVideo, an open-source video-sharing platform. The vulnerability exists in the public thumbnail endpoints getImage.php and getImageMP4.php, which accept a base64Url GET parameter, decode it, and pass the resulting URL to ffmpeg as an input source without proper validation or authentication requirements.

The prior validation only checked that the URL was syntactically valid using FILTER_VALIDATE_URL and verified that it started with http:// or https://. This insufficient validation allows attackers to supply URLs targeting internal network resources, cloud instance metadata services, and other sensitive endpoints.

Critical Impact
Unauthenticated attackers can exploit this SSRF vulnerability to access internal network resources, cloud instance metadata (including AWS credentials at http://169.254.169.254/), and probe internal infrastructure without any authentication requirements.

Affected Products

wwbn avideo-encoder versions prior to 8.0
AVideo platform deployments using vulnerable getImage.php endpoint
AVideo platform deployments using vulnerable getImageMP4.php endpoint

Discovery Timeline

2026-03-20 - CVE CVE-2026-33024 published to NVD
2026-03-24 - Last updated in NVD database

Technical Details for CVE-2026-33024

Vulnerability Analysis

This SSRF vulnerability allows unauthenticated remote attackers to force the AVideo server to make arbitrary HTTP/HTTPS requests to internal and external resources. The vulnerable endpoints accept user-supplied URLs through a base64-encoded GET parameter, decode them, and use them as input to ffmpeg for thumbnail generation—all without requiring authentication.

The impact is significant for cloud-hosted deployments, as attackers can target instance metadata services to extract sensitive information including API credentials, IAM role tokens, and configuration data. Although the vulnerability is blind (responses are not directly returned to the attacker), timing differences and error log analysis can be leveraged to infer information about the internal network topology and accessible services.

Root Cause

The root cause is insufficient URL validation before processing user-supplied input. The original implementation only performed two checks:

Syntactic URL validation using PHP's FILTER_VALIDATE_URL
Protocol verification ensuring the URL starts with http:// or https://

These checks fail to prevent requests to private IP ranges, localhost, cloud metadata endpoints, and internal hostnames. The validation did not resolve DNS hostnames to verify their target IP addresses, nor did it block access to RFC 1918 private address space or link-local addresses.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker crafts a malicious URL targeting an internal resource (such as http://169.254.169.254/latest/meta-data/ for AWS metadata, http://192.168.x.x/ for internal networks, or http://127.0.0.1/ for localhost services), base64-encodes it, and sends it as the base64Url parameter to either vulnerable endpoint.

The following patch demonstrates the fix implemented in version 8.0 for getImage.php:

php

     error_log("getImage: Invalid URL rejected: {$url}");
     die();
 }
+// SSRF protection: block requests to private/internal network addresses
+$_ssrfParsed = parse_url($url);
+$_ssrfHost = isset($_ssrfParsed['host']) ? $_ssrfParsed['host'] : '';
+if (empty($_ssrfHost) || preg_match('/^(localhost|.*\.local)$/i', $_ssrfHost)) {
+    error_log("getImage: SSRF attempt blocked for host: {$_ssrfHost}");
+    die();
+}
+// Check direct IP notation and DNS-resolved addresses against private ranges
+$_ssrfIP = filter_var($_ssrfHost, FILTER_VALIDATE_IP) ? $_ssrfHost : gethostbyname($_ssrfHost);
+if (ip_is_private($_ssrfIP)) {
+    error_log("getImage: SSRF attempt blocked - host '{$_ssrfHost}' resolves to private IP '{$_ssrfIP}'");
+    die();
+}
+unset($_ssrfParsed, $_ssrfHost, $_ssrfIP);
 // Remove shell metacharacters from URL
 $url = str_replace(array('"', "'", '`', '$', '\\', ';', '|', '&', '(', ')', '{', '}', '<', '>', "\n", "\r", "\0"), '', $url);
 $urlEscaped = escapeshellarg($url);

Source: GitHub Commit Update

The corresponding fix for getImageMP4.php:

php

 header('Access-Control-Allow-Origin: *');
 $url = base64_decode($_GET['base64Url']);
 
+// SSRF protection: validate URL and block access to private/internal network addresses
+if (!filter_var($url, FILTER_VALIDATE_URL) || !preg_match('/^https?:\/\//i', $url)) {
+    error_log("getImageMP4: Invalid URL rejected: {$url}");
+    die();
+}
+$_ssrfParsed = parse_url($url);
+$_ssrfHost = isset($_ssrfParsed['host']) ? $_ssrfParsed['host'] : '';
+if (empty($_ssrfHost) || preg_match('/^(localhost|.*\.local)$/i', $_ssrfHost)) {
+    error_log("getImageMP4: SSRF attempt blocked for host: {$_ssrfHost}");
+    die();
+}
+$_ssrfIP = filter_var($_ssrfHost, FILTER_VALIDATE_IP) ? $_ssrfHost : gethostbyname($_ssrfHost);
+if (ip_is_private($_ssrfIP)) {
+    error_log("getImageMP4: SSRF attempt blocked - host '{$_ssrfHost}' resolves to private IP '{$_ssrfIP}'");
+    die();
+}
+unset($_ssrfParsed, $_ssrfHost, $_ssrfIP);
+
 if (!isURLaVODVideo($url)) {
     error_log("ERROR URL is not a VOD {$url}");
     die();

Source: GitHub Commit Update

Detection Methods for CVE-2026-33024

Indicators of Compromise

Unusual requests to /objects/getImage.php or /objects/getImageMP4.php with base64-encoded URLs targeting internal IP ranges
Web server logs showing decoded base64Url parameters containing 169.254.169.254, 127.0.0.1, 192.168.x.x, 10.x.x.x, or 172.16.x.x addresses
Error logs containing "SSRF attempt blocked" messages (post-patch) or unusual ffmpeg errors for internal URLs (pre-patch)
Outbound connections from the web server to cloud metadata endpoints or internal services

Detection Strategies

Implement web application firewall (WAF) rules to inspect and block requests with base64-encoded private IP addresses or metadata service URLs
Monitor application logs for unusual patterns in the base64Url parameter, particularly requests with encoded internal network addresses
Deploy network segmentation monitoring to detect the web server initiating connections to internal services or metadata endpoints
Use intrusion detection systems (IDS) to flag HTTP requests from the AVideo server to RFC 1918 addresses or link-local addresses

Monitoring Recommendations

Enable verbose logging for the getImage.php and getImageMP4.php endpoints to capture all incoming URL parameters
Set up alerts for any outbound traffic from the AVideo server to the cloud metadata IP range (169.254.169.254/32)
Monitor for timing anomalies in thumbnail generation requests that may indicate SSRF probing activity
Review network flow logs for unexpected internal service access patterns originating from the AVideo deployment

How to Mitigate CVE-2026-33024

Immediate Actions Required

Upgrade AVideo Encoder to version 8.0 or later immediately, as this version contains the security fix
If immediate upgrade is not possible, restrict network access from the AVideo server to internal services using firewall rules
Block outbound access from the AVideo server to the cloud metadata service (169.254.169.254) at the network level
Review access logs for evidence of prior exploitation attempts targeting the vulnerable endpoints

Patch Information

The vulnerability has been fixed in AVideo Encoder version 8.0. The patch implements comprehensive SSRF protection by:

Validating URL syntax and protocol scheme
Blocking hostnames matching localhost or *.local patterns
Resolving DNS hostnames and checking the resulting IP against private ranges using the ip_is_private() function
Logging all blocked SSRF attempts for security monitoring

The security fix is available via the GitHub Commit. Additional details can be found in the GitHub Security Advisory.

Workarounds

Implement network-level controls to prevent the AVideo server from accessing internal networks and cloud metadata endpoints
Deploy a reverse proxy or WAF in front of AVideo to inspect and filter base64-encoded URL parameters for private addresses
Disable the getImage.php and getImageMP4.php endpoints if thumbnail generation from external URLs is not required
Use IMDSv2 (Instance Metadata Service Version 2) on AWS deployments to require session tokens for metadata access, reducing the impact of blind SSRF

bash

# Block outbound traffic to cloud metadata and internal networks (iptables example)
# Block AWS/cloud metadata service
iptables -A OUTPUT -d 169.254.169.254 -j DROP

# Block common internal network ranges from the AVideo server
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP

CVE-2026-33024 Overview

Critical Impact
Unauthenticated attackers can exploit this SSRF vulnerability to access internal network resources, cloud instance metadata (including AWS credentials at http://169.254.169.254/), and probe internal infrastructure without any authentication requirements.

Affected Products

wwbn avideo-encoder versions prior to 8.0
AVideo platform deployments using vulnerable getImage.php endpoint
AVideo platform deployments using vulnerable getImageMP4.php endpoint

Discovery Timeline

2026-03-20 - CVE CVE-2026-33024 published to NVD
2026-03-24 - Last updated in NVD database

Technical Details for CVE-2026-33024

Vulnerability Analysis

Root Cause

The root cause is insufficient URL validation before processing user-supplied input. The original implementation only performed two checks:

Syntactic URL validation using PHP's FILTER_VALIDATE_URL
Protocol verification ensuring the URL starts with http:// or https://

Attack Vector

The following patch demonstrates the fix implemented in version 8.0 for getImage.php:

php

     error_log("getImage: Invalid URL rejected: {$url}");
     die();
 }
+// SSRF protection: block requests to private/internal network addresses
+$_ssrfParsed = parse_url($url);
+$_ssrfHost = isset($_ssrfParsed['host']) ? $_ssrfParsed['host'] : '';
+if (empty($_ssrfHost) || preg_match('/^(localhost|.*\.local)$/i', $_ssrfHost)) {
+    error_log("getImage: SSRF attempt blocked for host: {$_ssrfHost}");
+    die();
+}
+// Check direct IP notation and DNS-resolved addresses against private ranges
+$_ssrfIP = filter_var($_ssrfHost, FILTER_VALIDATE_IP) ? $_ssrfHost : gethostbyname($_ssrfHost);
+if (ip_is_private($_ssrfIP)) {
+    error_log("getImage: SSRF attempt blocked - host '{$_ssrfHost}' resolves to private IP '{$_ssrfIP}'");
+    die();
+}
+unset($_ssrfParsed, $_ssrfHost, $_ssrfIP);
 // Remove shell metacharacters from URL
 $url = str_replace(array('"', "'", '`', '$', '\\', ';', '|', '&', '(', ')', '{', '}', '<', '>', "\n", "\r", "\0"), '', $url);
 $urlEscaped = escapeshellarg($url);

Source: GitHub Commit Update

The corresponding fix for getImageMP4.php:

php

 header('Access-Control-Allow-Origin: *');
 $url = base64_decode($_GET['base64Url']);
 
+// SSRF protection: validate URL and block access to private/internal network addresses
+if (!filter_var($url, FILTER_VALIDATE_URL) || !preg_match('/^https?:\/\//i', $url)) {
+    error_log("getImageMP4: Invalid URL rejected: {$url}");
+    die();
+}
+$_ssrfParsed = parse_url($url);
+$_ssrfHost = isset($_ssrfParsed['host']) ? $_ssrfParsed['host'] : '';
+if (empty($_ssrfHost) || preg_match('/^(localhost|.*\.local)$/i', $_ssrfHost)) {
+    error_log("getImageMP4: SSRF attempt blocked for host: {$_ssrfHost}");
+    die();
+}
+$_ssrfIP = filter_var($_ssrfHost, FILTER_VALIDATE_IP) ? $_ssrfHost : gethostbyname($_ssrfHost);
+if (ip_is_private($_ssrfIP)) {
+    error_log("getImageMP4: SSRF attempt blocked - host '{$_ssrfHost}' resolves to private IP '{$_ssrfIP}'");
+    die();
+}
+unset($_ssrfParsed, $_ssrfHost, $_ssrfIP);
+
 if (!isURLaVODVideo($url)) {
     error_log("ERROR URL is not a VOD {$url}");
     die();

Source: GitHub Commit Update

Detection Methods for CVE-2026-33024

Indicators of Compromise

Unusual requests to /objects/getImage.php or /objects/getImageMP4.php with base64-encoded URLs targeting internal IP ranges
Web server logs showing decoded base64Url parameters containing 169.254.169.254, 127.0.0.1, 192.168.x.x, 10.x.x.x, or 172.16.x.x addresses
Error logs containing "SSRF attempt blocked" messages (post-patch) or unusual ffmpeg errors for internal URLs (pre-patch)
Outbound connections from the web server to cloud metadata endpoints or internal services

Detection Strategies

Implement web application firewall (WAF) rules to inspect and block requests with base64-encoded private IP addresses or metadata service URLs
Monitor application logs for unusual patterns in the base64Url parameter, particularly requests with encoded internal network addresses
Deploy network segmentation monitoring to detect the web server initiating connections to internal services or metadata endpoints
Use intrusion detection systems (IDS) to flag HTTP requests from the AVideo server to RFC 1918 addresses or link-local addresses

Monitoring Recommendations

Enable verbose logging for the getImage.php and getImageMP4.php endpoints to capture all incoming URL parameters
Set up alerts for any outbound traffic from the AVideo server to the cloud metadata IP range (169.254.169.254/32)
Monitor for timing anomalies in thumbnail generation requests that may indicate SSRF probing activity
Review network flow logs for unexpected internal service access patterns originating from the AVideo deployment

How to Mitigate CVE-2026-33024

Immediate Actions Required

Upgrade AVideo Encoder to version 8.0 or later immediately, as this version contains the security fix
If immediate upgrade is not possible, restrict network access from the AVideo server to internal services using firewall rules
Block outbound access from the AVideo server to the cloud metadata service (169.254.169.254) at the network level
Review access logs for evidence of prior exploitation attempts targeting the vulnerable endpoints

Patch Information

The vulnerability has been fixed in AVideo Encoder version 8.0. The patch implements comprehensive SSRF protection by:

Validating URL syntax and protocol scheme
Blocking hostnames matching localhost or *.local patterns
Resolving DNS hostnames and checking the resulting IP against private ranges using the ip_is_private() function
Logging all blocked SSRF attempts for security monitoring

The security fix is available via the GitHub Commit. Additional details can be found in the GitHub Security Advisory.

Workarounds

Implement network-level controls to prevent the AVideo server from accessing internal networks and cloud metadata endpoints
Deploy a reverse proxy or WAF in front of AVideo to inspect and filter base64-encoded URL parameters for private addresses
Disable the getImage.php and getImageMP4.php endpoints if thumbnail generation from external URLs is not required
Use IMDSv2 (Instance Metadata Service Version 2) on AWS deployments to require session tokens for metadata access, reducing the impact of blind SSRF

bash

# Block outbound traffic to cloud metadata and internal networks (iptables example)
# Block AWS/cloud metadata service
iptables -A OUTPUT -d 169.254.169.254 -j DROP

# Block common internal network ranges from the AVideo server
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP

CVE-2026-33024: Wwbn Avideo-encoder SSRF Vulnerability

CVE-2026-33024 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33024

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33024

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33024

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-33024: Wwbn Avideo-encoder SSRF Vulnerability

CVE-2026-33024 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-33024

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-33024

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-33024

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform