GHSA-5x2w-37xf-7962: AVideo has Unauthenticated PGP Message Decryption via Public Endpoint

March 19, 2026

The AVideo platform exposes a publicly accessible endpoint that performs server-side PGP decryption without requiring any form of authentication. Any anonymous user can submit a private key, ciphertext, and passphrase to the endpoint and receive the decrypted plaintext in the JSON response. This functionality is entirely unprotected, meaning no session, token, or credential is needed to invoke it.

References

github.com/WWBN/AVideo
github.com/WWBN/AVideo/security/advisories/GHSA-5x2w-37xf-7962
github.com/advisories/GHSA-5x2w-37xf-7962

Code Behaviors & Features

Detect and mitigate GHSA-5x2w-37xf-7962 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →