CVE-2026-41055
DNS Rebinding SSRF in WWBN AVideo LiveLinks Proxy
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-41055 is a Server-Side Request Forgery (SSRF) vulnerability that allows attackers to bypass protections and send requests to internal services or cloud metadata endpoints. This can lead to unauthorized access to sensitive internal resources or information disclosure.
Such unauthorized access and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal data and protected health information. If exploited, this vulnerability could lead to breaches of confidentiality and data protection requirements mandated by these regulations.
Therefore, until fully remediated, this vulnerability poses a risk to maintaining compliance with data protection and privacy standards by potentially allowing attackers to access internal data that should be protected.
Can you explain this vulnerability to me?
This vulnerability exists in WWBN AVideo, an open source video platform, in versions 29.0 and below. It involves an incomplete Server-Side Request Forgery (SSRF) fix in the LiveLinks proxy component. Although a validation function called isSSRFSafeURL() was added to prevent SSRF attacks, a Time-Of-Check to Time-Of-Use (TOCTOU) issue remains. This means that between the validation of a URL and the actual HTTP request, DNS rebinding can occur, allowing an attacker to redirect traffic to internal endpoints that should not be accessible.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass security controls and access internal network endpoints by exploiting the DNS TOCTOU flaw. This could lead to unauthorized access to internal services or sensitive information that is not intended to be exposed externally. Since the CVSS base score is 8.6 with high confidentiality impact, it indicates a serious risk of data exposure without requiring user interaction or privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this SSRF vulnerability involves monitoring for unusual or unauthorized internal network requests originating from the AVideo LiveLinks proxy endpoint. Since the vulnerability exploits DNS rebinding and TOCTOU race conditions, network logs should be inspected for requests to internal IP ranges such as 10.x.x.x, 172.16.x.x–172.31.x.x, 192.168.x.x, 127.x.x.x, and link-local 169.254.x.x that originate from the server running AVideo.
Specific commands to detect exploitation attempts are not provided in the resources. However, general network monitoring commands could include:
- Using tcpdump or tshark to capture outgoing HTTP requests from the server to internal IP ranges: tcpdump -i eth0 dst net 10.0.0.0/8 or tcpdump -i eth0 dst net 192.168.0.0/16
- Checking web server or application logs for requests to the LiveLinks proxy endpoint that include suspicious URLs or repeated requests that might indicate SSRF attempts.
- Using curl or similar tools to manually test the LiveLinks proxy endpoint with crafted URLs to see if internal IPs can be accessed.
No explicit detection commands or scripts are detailed in the provided resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the AVideo software to a version that contains the fix introduced in commit 8d8fc0cadb425835b4861036d589abcea4d78ee8 or later. This fix enhances SSRF protection by implementing DNS pinning and eliminating the TOCTOU race condition.
- Apply the patch that modifies the `isSSRFSafeURL()` function to resolve hostnames once and use the resolved IP for validation and subsequent requests.
- Use the new `proxyDNSPinnedFetch()` function which performs HTTP requests with DNS pinning via cURL's `CURLOPT_RESOLVE` option, preventing DNS rebinding.
- Block or strictly validate redirect URLs by re-validating each redirect target and its resolved IP before following redirects.
- Avoid using PHP's `get_headers()` function for SSRF-sensitive requests as it performs separate DNS resolutions and can cause side effects.
If immediate patching is not possible, consider restricting network access from the AVideo server to internal IP ranges at the firewall level to prevent SSRF exploitation.