CVE-2025-34438
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-19

Assigner: VulnCheck

Description
AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-14
NVD
CVE-2025-34438
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34438 is an Insecure Direct Object Reference (IDOR) vulnerability in AVideo versions prior to 20.0. It allows users who have upload permissions to modify the rotation metadata of any video, not just the ones they own or manage. The system checks if the user can upload but does not verify if the user has ownership or management rights over the targeted video, enabling unauthorized modification of video rotation metadata. [1]

Impact Analysis

This vulnerability can allow unauthorized users with upload permissions to manipulate the rotation metadata of any video on the platform. This could lead to unauthorized changes to video content presentation, potential disruption of video display, and misuse of video assets. It may also enable privilege escalation where users modify videos they should not have access to, potentially impacting content integrity and trust. [1]

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade AVideo to version 20.0 or later, which includes security enhancements enforcing per-video authorization checks for rotation update operations. This update ensures that only users with management permissions for a specific video can modify its rotation metadata, preventing unauthorized access. If upgrading is not immediately possible, restrict upload permissions to trusted users only and monitor for unauthorized modification attempts. [1, 2]

Detection Guidance

To detect exploitation attempts of CVE-2025-34438, monitor requests to the video rotation metadata modification endpoints, such as those handled by `videoRotate.json.php`. Look for requests where users with upload permissions attempt to modify rotation metadata of videos they do not own or manage. You can use network monitoring tools or web server logs to identify such unauthorized modification attempts. For example, using command-line tools like `grep` on web server logs to find POST requests to the rotation endpoint, combined with user identifiers and video IDs, may help detect suspicious activity. A sample command to search Apache logs for rotation modification attempts could be: `grep 'POST /objects/videoRotate.json.php' /var/log/apache2/access.log`. Further analysis would require correlating user permissions with targeted video IDs to identify unauthorized access attempts. Since the vulnerability involves missing authorization checks, detecting unauthorized rotation changes may also involve auditing application logs or database changes for rotation metadata updates by users without management rights. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart