CVE-2026-33024
Server-Side Request Forgery in AVideo Thumbnail Endpoints
Publication date: 2026-03-20
Last updated on: 2026-03-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo-encoder | to 8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33024 is a Server-Side Request Forgery (SSRF) vulnerability in AVideo-Encoder versions prior to 8.0, specifically in the public thumbnail endpoints getImage.php and getImageMP4.php.
These endpoints accept a base64Url GET parameter, decode it, and use the resulting URL as an input source for ffmpeg without requiring authentication.
The prior validation only checked that the URL was syntactically valid and started with http(s)://, which is insufficient.
An attacker can supply URLs pointing to internal network resources such as AWS cloud instance metadata (e.g., http://169.254.169.254/latest/meta-data/), private IP ranges (e.g., http://192.168.x.x/), or localhost (http://127.0.0.1/), causing the server to make requests to these internal services.
The response is not directly returned (blind SSRF), but attackers can infer results through timing differences and error logs.
This vulnerability was fixed in version 8.0 by adding hostname resolution and blocking requests to private IP ranges, localhost, and .local hostnames.
How can this vulnerability impact me? :
This vulnerability allows an attacker to make the vulnerable server perform HTTP requests to internal network resources that are normally inaccessible from the outside.
Such internal resources may include cloud instance metadata services, private network devices, or localhost services.
An attacker can exploit this to gather sensitive information from internal systems, potentially leading to further attacks or data breaches.
Because the vulnerability requires no authentication and is accessible via public endpoints, any exposed AVideo-Encoder instance is at risk.
Although the SSRF is blind (no direct response), attackers can infer information through timing and error logs.
Mitigations include upgrading to version 8.0 or later, restricting access to the vulnerable endpoints, and enabling protections like AWS IMDSv2 on cloud hosts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is a blind Server-Side Request Forgery (SSRF), meaning the response is not directly returned to the attacker. Detection can be done by monitoring timing differences and analyzing error logs generated by the vulnerable endpoints getImage.php and getImageMP4.php when they attempt to access internal or private network resources.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system, you can check your web server or application logs for unusual requests to these endpoints containing base64Url parameters that decode to internal IP addresses or metadata service URLs such as http://169.254.169.254/latest/meta-data/ or private IP ranges like 192.168.x.x or 127.0.0.1.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': 'Use grep to find suspicious base64Url parameters in access logs: grep -Eo \'base64Url=[^&]+\' /var/log/apache2/access.log | while read -r param; do echo "$param" | base64 --decode; done'}, {'type': 'list_item', 'content': "Search error logs for SSRF-related errors or blocked requests: grep -i 'ssrf' /var/log/apache2/error.log"}, {'type': 'list_item', 'content': 'Monitor network traffic for outbound requests from the server to internal IP ranges using tools like tcpdump or Wireshark: sudo tcpdump -i eth0 dst net 192.168.0.0/16 or sudo tcpdump -i eth0 dst net 169.254.0.0/16'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade AVideo-Encoder to version 8.0 or later, where the vulnerability is fixed by validating and blocking requests to private IP ranges and local hostnames in the getImage.php and getImageMP4.php endpoints.
If immediate upgrade is not possible, the following steps can help mitigate the risk:
- Restrict external access to the vulnerable endpoints (getImage.php and getImageMP4.php) at the web server or firewall level, allowing only trusted IP addresses such as the AVideo front-end server.
- On cloud hosts, enable protections for instance metadata services, such as AWS IMDSv2, which requires session tokens and makes SSRF exploitation more difficult.
- Monitor logs for SSRF attempts and block suspicious requests.