CVE-2026-45619
DNS Rebinding TOCTOU in WWBN AVideo
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wwbn | avideo | to 29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in WWBN AVideo arises because multiple parts of the code call the function isSSRFSafeURL() but ignore its $resolvedIP output parameter. This oversight allows attackers to exploit a DNS-rebinding Time-of-Check Time-of-Use (TOCTOU) race condition, bypassing DNS pinning protections implemented via CURLOPT_RESOLVE.
As a result, attackers can perform Server-Side Request Forgery (SSRF) attacks by tricking the server into making unauthorized requests to internal or protected resources.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to internal network resources by allowing attackers to bypass DNS pinning protections and perform SSRF attacks.
This can result in a high confidentiality impact, meaning sensitive data could be exposed, although the integrity impact is low.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to bypass DNS pinning protections, enabling Server-Side Request Forgery (SSRF) attacks that have a high impact on confidentiality. This could potentially lead to unauthorized access to sensitive data.
Such unauthorized access risks may affect compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized disclosure.
However, the provided information does not explicitly detail the direct impact on compliance with these standards.
What immediate steps should I take to mitigate this vulnerability?
There are no patched versions currently available for this vulnerability.
The vulnerability arises because multiple call sites of the isSSRFSafeURL() function discard the $resolvedIP output parameter, allowing DNS-rebinding TOCTOU attacks that bypass DNS pinning protections.
Immediate mitigation steps should include reviewing and modifying the code to properly use the $resolvedIP out-param of isSSRFSafeURL() at all call sites to enforce DNS pinning via CURLOPT_RESOLVE.
Until a patch is released, consider restricting network access or applying firewall rules to limit exposure to untrusted DNS responses and SSRF attack vectors.