GHSA-5X2W-37XF-7962

GHSA-5X2W-37XF-7962 is a medium-severity missing authentication for critical function vulnerability in wwbn/avideo (composer), affecting versions <= 25.0. No fixed version is listed yet.

Summary

The AVideo platform exposes a publicly accessible endpoint that performs server-side PGP decryption without requiring any form of authentication. Any anonymous user can submit a private key, ciphertext, and passphrase to the endpoint and receive the decrypted plaintext in the JSON response. This functionality is entirely unprotected, meaning no session, token, or credential is needed to invoke it.

Details

The endpoint at decryptMessage.json.php accepts a JSON body containing three user-supplied fields: a private key, an encrypted message, and a key password. The server passes these directly into a decryption routine and returns the result. There is no call to any authentication or session validation function before this operation is performed. The relevant server-side operation is:

$textDecrypted = decryptMessage($obj->textToDecrypt, $obj->privateKeyToDecryptMsg, $obj->keyPassword);

Because no access control exists, any unauthenticated request that reaches this endpoint will be processed. The primary concerns are exposure of private key material to server memory and logging infrastructure, and unconstrained consumption of server CPU resources for cryptographic operations. An attacker who has obtained a private key and matching ciphertext through other means can offload decryption work to the target server without holding any account on the platform.

PoC

curl -s -X POST \
  "https://target.example.com/plugin/LoginControl/pgp/decryptMessage.json.php" \
  -H "Content-Type: application/json" \
  -d '{
    "textToDecrypt": "-----BEGIN PGP MESSAGE-----\n<base64_ciphertext>\n-----END PGP MESSAGE-----",
    "privateKeyToDecryptMsg": "-----BEGIN PGP PRIVATE KEY BLOCK-----\n<base64_private_key>\n-----END PGP PRIVATE KEY BLOCK-----",
    "keyPassword": "passphrase"
  }'

Mitigation

A User::isLogged() check, or an equivalent session and authentication validation step, should be added at the top of decryptMessage.json.php before any user-supplied input is processed. Decryption operations should only be permitted for authenticated and authorized users. Server logging configuration should also be reviewed to ensure that POST body contents, including key material, are not written to persistent logs.

Impact

Private key material submitted to this endpoint is processed in server memory and may be captured in application logs, web server access logs, or error logs depending on server configuration. This can result in unintended disclosure of sensitive key material to administrators or anyone with log access. Additionally, the lack of any rate limiting combined with the absence of authentication allows any external party to submit large volumes of decryption requests, consuming server CPU resources without restriction. Any user who can reach the endpoint network-layer can trigger these effects.

A critical operation is accessible without requiring any authentication. Typical impact: any user can invoke the privileged function.

Affected versions

wwbn/avideo (<= 25.0)

Security releases

Not available

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

No fixed version is listed for GHSA-5X2W-37XF-7962 yet.

In the interim: Keep the dependency up to date. Add authentication gating to all sensitive endpoints.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-5X2W-37XF-7962? GHSA-5X2W-37XF-7962 is a medium-severity missing authentication for critical function vulnerability in wwbn/avideo (composer), affecting versions <= 25.0. No fixed version is listed yet. A critical operation is accessible without requiring any authentication.
  2. Which versions of wwbn/avideo are affected by GHSA-5X2W-37XF-7962? wwbn/avideo (composer) versions <= 25.0 is affected.
  3. Is there a fix for GHSA-5X2W-37XF-7962? No fixed version is listed for GHSA-5X2W-37XF-7962 yet. Monitor the advisory for updates and apply mitigations in the interim.
  4. Is GHSA-5X2W-37XF-7962 exploitable, and should I be worried? Whether GHSA-5X2W-37XF-7962 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-5X2W-37XF-7962 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-5X2W-37XF-7962? No fixed version is listed yet. In the interim: Keep the dependency up to date. Add authentication gating to all sensitive endpoints.

Other vulnerabilities in wwbn/avideo

Stop the waste.
Protect your environment with Kodem.