CVE-2025-34439
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-19

Assigner: VulnCheck

Description
AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-34439
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wwbn avideo to 20.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-34439 is an open redirect vulnerability in AVideo versions prior to 20.0 caused by insufficient validation of the cancelUri parameter during user login. This flaw allows attackers to craft malicious links that redirect users to arbitrary external websites, potentially leading to phishing attacks. The vulnerability was fixed by implementing a stricter URL validation function that only allows safe, same-origin or relative URLs and rejects dangerous protocols. [1, 2]

Impact Analysis

This vulnerability can impact you by enabling attackers to redirect users to malicious external sites through crafted links. This can facilitate phishing attacks where users might be tricked into providing sensitive information or credentials on fraudulent websites, potentially leading to account compromise or data theft. [1, 2]

Detection Guidance

You can detect this vulnerability by monitoring for URLs or HTTP requests that include the `cancelUri` parameter with external or suspicious redirect URLs. For example, you can use network traffic inspection tools or web server logs to search for requests containing `cancelUri` parameters that redirect to domains different from your AVideo instance. A sample command using grep on web server logs might be: `grep -i 'cancelUri=' /path/to/access.log | grep -v 'yourdomain.com'` to find redirect attempts to external sites. Additionally, inspecting HTTP requests for redirect parameters that do not start with '/' or that include dangerous protocols like 'javascript:' can help identify exploitation attempts. [2]

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade your AVideo installation to version 20.0 or later, where the issue has been fixed by implementing a stricter URL validation function `isSafeRedirectURL()`. This function ensures that only relative URLs starting with '/' or absolute URLs belonging to the same origin are allowed for redirection, and it blocks dangerous protocols such as 'javascript:', 'data:', 'file:', 'vbscript:', and 'about:'. If upgrading is not immediately possible, consider applying the patch from the commit https://github.com/WWBN/AVideo/commit/88bc40427b that replaces the previous URL validation with the safer one. Also, monitor and block suspicious redirect URLs in your web server or application firewall. [1, 2]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-34439. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart