CVE-2025-48732
An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can request a .phar file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
WWBN AVideo 14.4
WWBN AVideo dev master commit 8a8954ff
AVideo - https://github.com/WWBN/AVideo
7.3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE-184 - Incomplete Blacklist
AVideo is a web application, mostly written in PHP, that can be used to create an audio/video sharing website. It allows users to import videos from various sources, encode and share them in various ways. Users can sign up to the website in order to share videos, while viewers have anonymous access to the publicly-available contents. The platform provides plugins for features like live streaming, skins, YouTube uploads and more.
AVideo employs a security measure designed to prevent the execution of potentially malicious scripts and executable files within its videos/ directory, a location intended for storing uploaded media content rather than active code. This measure is implemented through a configuration file, videos/.htaccess, which applies a strict access control rule to files placed under the videos/ directory.
This .htaccess file is generated by plugin/Scheduler/watchDog.php, which copies plugin/Scheduler/htaccess.sample.txt into videos/.htaccess.
A crucial part of this .htaccess is a <filesMatch> directive that lists a comprehensive array of file extensions:
# Deny access to all sensitive file types and prevent execution
<FilesMatch "(?i)\.(php[a-z0-9]?|phtml|sh|log|lock|bat|bin|cmd|com|cpl|exe|gadget|inf1|ins|inx|isu|job|jse|lnk|msc|msi|msp|mst|paf|pif|ps1|reg|rgs|scr|sct|shb|shs|u3p|vb|vbe|vbs|vbscript|ws|wsf|wsh|bak|config|inc|bkp)$">
<IfModule !authz_core_module>
Order Allow,Deny
Deny from all
</IfModule>
<IfModule authz_core_module>
Require all denied
</IfModule>
</FilesMatch>
This list matches PHP files extensions in a case-insensitive way using the regular expression \.php[a-z0-9]?$.
For any file matching one of these extensions, the configuration explicitly denies all access, effectively preventing the web server from executing them. This prevents an attacker from uploading a PHP script and then trigger its execution on the server.
However, the .phar file extension is absent from the list of disallowed file types. PHP Archive (.phar) files are a legitimate format for packaging entire PHP applications into a single archive. If the underlying PHP environment has the PHAR module enabled, these .phar files can be executed directly by the PHP interpreter, just like standard .php scripts.
The default configuration of AVideo’s Dockerfile builds with the PHAR module enabled by default, allowing execution of arbitrary .phar files within the videos/ directory. Consequently, an attacker could potentially upload a .phar file and execute it, as demonstrated in TALOS-2025-????.
2025-07-10 - Vendor Disclosure
2025-07-14 - Vendor Patch Release
2025-07-24 - Public Release
Discovered by Claudio Bozzato of Cisco Talos.