CVE-2025-34438

EUVD-2025-203956
AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Affected Products (NVD)
VendorProductVersion
wwbnavideo
𝑥
< 20.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://chocapikk.com/posts/2025/avideo-security-vulnerabilities/
https://github.com/WWBN/AVideo/commit/4a53ab2056
https://github.com/WWBN/AVideo/commit/c2feaf25cb
https://www.vulncheck.com/advisories/avideo-idor-arbirary-video-rotation