PatchSiren cyber security CVE debrief

CVE-2026-45619 WWBN CVE debrief

WWBN AVideo versions 29.0 and earlier contain a Time-of-Check to Time-of-Use (TOCTOU) vulnerability in SSRF protection mechanisms. The `isSSRFSafeURL()` function in `EpgParser.php`, `plugin/AI/receiveAsync.json.php`, and other locations returns a `$resolvedIP` out-parameter containing the DNS-resolved IP address, but this value is not subsequently used with `CURLOPT_RESOLVE` to pin the connection to that specific IP. This creates a DNS rebinding window where an attacker-controlled hostname can resolve to a safe IP during validation but switch to an internal or restricted IP address before the actual HTTP request is executed. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N) reflects network attack vector with high attack complexity due to timing requirements, no privileges required, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and no availability impact. The vulnerability is classified under CWE-367 (Time-of-check Time-of-use race condition) and CWE-918 (Server-Side Request Forgery). The issue was disclosed via GitHub Security Advisory and entered NVD as 'Undergoing Analysis' on the same day.

Vendor: WWBN
Product: AVideo
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations running WWBN AVideo 29.0 or earlier; security teams responsible for SSRF protection in PHP applications; developers implementing DNS pinning for SSRF defenses

Technical summary

The vulnerability exists because AVideo's SSRF protection performs DNS resolution and validation via isSSRFSafeURL(), which returns a resolved IP address through an output parameter. However, the calling code does not use this resolved IP with CURLOPT_RESOLVE to force cURL to connect to that specific address. Instead, cURL performs its own DNS lookup at connection time, creating a race condition window. An attacker can register a domain with short TTL DNS records that initially resolve to a permitted IP (passing validation) then switch to an internal IP (192.168.x.x, 10.x.x.x, 169.254.x.x, etc.) or metadata service endpoint (169.254.169.254) before cURL's connection attempt. This bypasses the intended SSRF protection and enables unauthorized access to internal resources. The attack requires precise timing and DNS control but is automatable. The fix involves capturing $resolvedIP and constructing CURLOPT_RESOLVE entries to eliminate the second DNS lookup.

Defensive priority

medium

Recommended defensive actions

Review all uses of isSSRFSafeURL() in EpgParser.php, plugin/AI/receiveAsync.json.php, and other identified locations to ensure the $resolvedIP out-parameter is captured and used
Implement CURLOPT_RESOLVE with the validated IP address to pin DNS resolution and prevent rebinding attacks
Apply the principle of validating and then immediately using resolved IPs without intermediate network operations that could introduce delays
Monitor for patches from WWBN/AVideo project addressing this advisory
Consider network-level DNS rebinding protections as defense-in-depth if application patching is delayed

Evidence notes

Vulnerability description sourced from NVD record published 2026-05-29T14:16:30.980Z. Technical details (EpgParser.php, receiveAsync.json.php, isSSRFSafeURL(), CURLOPT_RESOLVE, DNS rebinding TOCTOU) derived from CVE description field. CVSS vector and CWE classifications from NVD source metadata. GitHub Security Advisory reference confirmed in sourceItem metadata. Vendor attribution to WWBN AVideo from CVE description.

Official resources

2026-05-29