Critical Zero-Click Command Injection in AVideo Platform Enables Stream Hijacking

A critical zero-click vulnerability has been disclosed in the AVideo platform, a widely used open-source video streaming and sharing framework.

The flaw allows unauthenticated remote attackers to execute arbitrary operating system commands on affected servers, potentially leading to complete system compromise and live stream hijacking.

The issue was made public by DanielnetoDotCom under advisory GHSA-9j26-99jh-v26q, published four days ago.

The affected version is AVideo 6.0, with patches available starting from version 7.0. While the advisory lists no associated package, the impact and exploitability of the bug place it firmly in the critical severity range.

Unauthenticated Command Injection via base64Url Parameter

The vulnerability resides in the objects/getImage.php endpoint, which handles image requests and processing.

The flaw arises from improper handling of the “base64Url” GET parameter, which is Base64-decoded and embedded directly into an ffmpeg shell command inside a double-quoted string.

Because the input is not properly escaped, attackers can inject shell metacharacters or command substitution syntax that the underlying shell interprets as executable code.

In practice, this means an attacker could send a crafted request to the vulnerable endpoint with maliciously encoded command sequences in the base64Url parameter and achieve remote command execution without authentication or direct interaction with the target system.

The attack vector is zero-click, requiring no user input, login, or admin privileges.

According to the advisory, the root cause lies in the misuse of FILTER_VALIDATE_URL for input sanitization.

While this PHP filter checks for valid URL syntax, it does not neutralize shell metacharacters ($(), `, ;, or &), allowing shell command injection when the input is processed within a command string.

The vulnerable code path runs through objects/security.php and ultimately invokes shell_exec() or nohup, enabling asynchronous command execution.

Once exploited, attackers can execute arbitrary shell commands with the web server’s privileges. Potential impacts include:

• Full server takeover and persistent access.
• Data exfiltration of configuration files, API tokens, or database credentials.
• Service disruption, such as deletion or alteration of media files.
• Stream hijacking, where live or hosted content could be replaced or manipulated.

Security researchers note that due to the unauthenticated nature of the bug, attackers could automate large-scale exploitation to target vulnerable AVideo installations across the internet.

The vendor has released patched builds starting from AVideo 7.0, applying proper shell argument escaping (e.g., escapeshellarg()) to all user-supplied parameters before executing shell commands.

Additionally, developers were advised to avoid double-quoted string interpolation of variables within command contexts and adopt secure process execution techniques instead of raw shell calls.

For users unable to upgrade immediately, suggested mitigations include:

• Restricting access objects/getImage.php via web server or reverse proxy rules, allowing only trusted IPs or authenticated sessions.
• Deploying WAF (Web Application Firewall) rules to detect and block suspicious payloads resembling command substitution.
• Monitoring logs for anomalous ffmpeg invocations or system commands initiated from web server processes.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Critical Zero-Click Command Injection in AVideo Platform Enables Stream Hijacking appeared first on Cyber Security News.