wvbn/avideo CORS Origin Reflection Bypass Leads to Auth API Data Leakage

Vulnerability Summary: CORS Origin Reflection Bypass Leads to Authentication API Response Disclosure Vulnerability Overview In the project, the commit released in April 2024 attempted to fix the CORS origin validation issue but was incomplete. There are two independent code paths that can still reflect arbitrary headers, allowing an attacker to initiate cross-origin credentialed requests and read authentication API responses containing user PII (personally identifiable information), email, admin status, and session-sensitive data. Core of the Vulnerability: 1. Independent CORS handling logic in (lines 4–8) unconditionally reflects any header. 2. The function called by and (in ) also reflects any credentialed header. Additional Issue: Line 4 of falls back to when is missing, injecting an attacker-controlled full URL into the header — non-standard behavior. Impact Scope Affected Versions: Composer package Severity: High (7.1 / 10) CVSS v3 Base Metrics: Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: Low Availability: None Data Exposure Impact: Video List Endpoint ( ): Sensitive user fields (email, isAdmin, etc.) are stripped only for unauthenticated requests; thus, authenticated CORS requests return complete data. User Profile Endpoint ( ): When is true, all sensitive fields (including email, admin status, recovery token, PII) are not stripped. Data Theft: Any third-party website can read the authenticated API responses of logged-in Avideo users, including profile data (real name, address, phone, admin status, PII), video lists (with creator PII), and other session-specific data. Account Information Leakage: The user profile endpoint returns the full user record, including (password recovery token), status, and all PII fields. Acting on Behalf of Users: Write endpoints such as are also affected, allowing cross-origin state-changing requests (creating playlists, modifying content, etc.), thereby hijacking user sessions. Intentional Bypass: This vulnerability directly bypasses the CORS hardening measures introduced in commit . Remediation 1. Remove the standalone CORS handler in : Let uniformly handle all CORS logic. 2. Fix to validate origins: Or stop using it in API endpoints. Only retain for truly public endpoints without session-sensitive data (e.g., VAST/VMAP ad XML). 3. As defense in depth: Set on session cookies to prevent browsers from sending them by default in cross-origin requests. POC Code Step 1: Host the following HTML on an attacker-controlled domain: Step 2: Victim visits the attacker’s page while logged into Avideo. Step 3: Browser sends the request with the victim’s session cookie. Line 8 of reflects the attacker’s origin. calls , resetting to the attacker’s origin and setting . Step 4: Browser allows cross-origin reading. Attacker receives the victim’s full profile, including email, name, address, admin status, and other PII. For POST endpoints requiring preflight:** Preflight OPTIONS is handled by lines 14–18 of , which reflect the origin and exit — the CORS fix inside will not execute.

Goal Reached Thanks to every supporter — we hit 100%!

wvbn/avideo CORS Origin Reflection Bypass Leads to Auth API Data Leakage

More from this source