CVE-2026-41055 Overview
WWBN AVideo is an open source video platform that contains a Server-Side Request Forgery (SSRF) vulnerability due to an incomplete security fix in the LiveLinks proxy functionality. The vulnerability exists in versions 29.0 and below where the isSSRFSafeURL() validation function is susceptible to DNS Time-of-Check Time-of-Use (TOCTOU) attacks. This flaw allows attackers to exploit DNS rebinding techniques to bypass SSRF protections, potentially redirecting traffic to internal endpoints and accessing restricted network resources.
Critical Impact
Attackers can leverage DNS rebinding to bypass SSRF validation controls, enabling unauthorized access to internal network services and potentially exposing sensitive data from backend systems.
Affected Products
- WWBN AVideo versions 29.0 and below
- AVideo LiveLinks proxy module
- Self-hosted AVideo installations without the security patch
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-41055 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-41055
Vulnerability Analysis
This vulnerability represents a classic DNS rebinding attack vector that exploits the gap between URL validation and actual HTTP request execution. The original SSRF fix implemented isSSRFSafeURL() validation to check whether requested URLs point to safe external resources. However, this validation occurs at a different time than the actual HTTP request, creating a TOCTOU race condition. An attacker can configure a malicious DNS server to return a legitimate external IP address during validation but then respond with an internal IP address (such as 127.0.0.1, 10.x.x.x, or 192.168.x.x) when the actual HTTP request is made.
The vulnerability is classified under CWE-918 (Server-Side Request Forgery), which occurs when a web application fetches remote resources without properly validating the destination URL. In this case, even with validation present, the DNS rebinding technique renders the protection ineffective.
Root Cause
The root cause is the temporal gap between DNS resolution during URL validation and DNS resolution during the actual HTTP request. The isSSRFSafeURL() function validates the URL by resolving the hostname to an IP address and checking if it belongs to private or reserved IP ranges. However, DNS responses have a time-to-live (TTL) value, and an attacker can set an extremely short TTL (even 0 seconds) to force re-resolution. Between the validation check and the actual request, the DNS response changes from a safe external IP to an internal IP address, effectively bypassing all SSRF protections.
Additionally, the original implementation allowed HTTP redirects to be followed automatically, which provided another avenue for SSRF bypass by redirecting validated requests to internal resources.
Attack Vector
The attack exploits the network-accessible LiveLinks proxy feature in AVideo. An attacker crafts a malicious URL pointing to a domain under their control, with a DNS server configured to perform DNS rebinding:
- The attacker submits a URL through the LiveLinks proxy functionality
- AVideo's isSSRFSafeURL() resolves the hostname and receives a legitimate external IP
- Validation passes as the IP is not in private ranges
- Before or during the actual HTTP request, the DNS TTL expires
- The subsequent DNS lookup returns an internal IP address (e.g., 127.0.0.1:8080)
- The proxy makes a request to the internal endpoint, bypassing network segmentation
The security patch addresses this by implementing DNS pinning (passing the resolved IP via &$resolvedIP parameter) and disabling automatic redirect following:
// Security patch in plugin/LiveLinks/proxy.php
// Source: https://github.com/WWBN/AVideo/commit/0e56382921fc71e64829cd1ec35f04e338c70917
'http' => array(
'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36',
"method" => "GET",
- "header" => array("Referer: localhost\r\nAccept-languange: en\r\nCookie: foo=bar\r\n")
+ "header" => array("Referer: localhost\r\nAccept-languange: en\r\nCookie: foo=bar\r\n"),
+ 'follow_location' => 0,
+ 'max_redirects' => 0,
)
);
$context = stream_context_create($options);
The DNS pinning enhancement in objects/functions.php:
// Security patch in objects/functions.php - DNS pinning implementation
// Source: https://github.com/WWBN/AVideo/commit/8d8fc0cadb425835b4861036d589abcea4d78ee8
* @param string $url The URL to validate
* @return bool True if safe from SSRF, false otherwise
*/
-function isSSRFSafeURL($url)
+function isSSRFSafeURL($url, &$resolvedIP = null)
{
global $global;
if (empty($url) || !is_string($url)) {
Detection Methods for CVE-2026-41055
Indicators of Compromise
- Unusual DNS queries with extremely low TTL values (0-1 seconds) from the AVideo server
- HTTP requests from the AVideo server to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Multiple DNS resolutions for the same hostname within short time intervals from the proxy component
- Access logs showing LiveLinks proxy requests followed by internal service access attempts
Detection Strategies
- Monitor outbound connections from the AVideo server for attempts to reach internal network segments
- Implement DNS query logging and alert on domains with suspiciously low TTL values
- Deploy network segmentation monitoring to detect unauthorized cross-segment traffic originating from the web application tier
- Analyze HTTP access logs for patterns consistent with SSRF probing through the /plugin/LiveLinks/proxy.php endpoint
Monitoring Recommendations
- Configure web application firewall (WAF) rules to inspect and block requests to the LiveLinks proxy that contain suspicious domain patterns
- Enable detailed logging for all proxy-related functions in AVideo and forward logs to a SIEM platform
- Set up alerts for DNS rebinding indicators such as rapid TTL changes or domains resolving to different IP addresses in quick succession
- Monitor for access to cloud metadata endpoints (169.254.169.254) and other common SSRF targets from the application server
How to Mitigate CVE-2026-41055
Immediate Actions Required
- Update WWBN AVideo to a version that includes commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 or later
- If immediate patching is not possible, disable the LiveLinks proxy feature until the update can be applied
- Implement network-level controls to prevent the AVideo server from making outbound connections to internal network segments
- Review access logs for any evidence of exploitation attempts against the proxy endpoint
Patch Information
The vulnerability has been addressed in two commits. The initial fix in commit 0e56382921fc71e64829cd1ec35f04e338c70917 disables automatic redirect following by setting follow_location to 0 and max_redirects to 0 in the HTTP context options. The complete fix in commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 implements DNS pinning by modifying isSSRFSafeURL() to return the resolved IP address, which is then used for the actual HTTP request, eliminating the TOCTOU vulnerability. For detailed information, refer to the GitHub Security Advisory GHSA-793q.
Workarounds
- Disable the LiveLinks proxy module by restricting access to /plugin/LiveLinks/proxy.php at the web server level
- Implement egress filtering on the AVideo server to block connections to private IP ranges and localhost
- Deploy a forward proxy with strict allowlisting for outbound HTTP requests from the application server
- Use network segmentation to isolate the AVideo instance from sensitive internal services
# Configuration example - Apache .htaccess to disable LiveLinks proxy access
<Files "proxy.php">
<Location "/plugin/LiveLinks/">
Order deny,allow
Deny from all
</Location>
</Files>
# Alternative: Nginx location block to restrict proxy access
# location /plugin/LiveLinks/proxy.php {
# deny all;
# return 403;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
