GHSA-j432-4w3j-3w8j: WWBN AVideo has a SSRF via same-domain hostname with alternate port bypasses isSSRFSafeURL

April 14, 2026

The isSSRFSafeURL() function in objects/functions.php contains a same-domain shortcircuit (lines 4290-4296) that allows any URL whose hostname matches webSiteRootURL to bypass all SSRF protections. Because the check compares only the hostname and ignores the port, an attacker can reach arbitrary ports on the AVideo server by using the site’s public hostname with a non-standard port. The response body is saved to a web-accessible path, enabling full exfiltration.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-j432-4w3j-3w8j
github.com/advisories/GHSA-j432-4w3j-3w8j

Code Behaviors & Features

Detect and mitigate GHSA-j432-4w3j-3w8j with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →