WWBN AVideo, an open source video platform, suffers from a Server-Side Request Forgery vulnerability (CWE-918) in versions 26.0 and below. The vulnerability is due to an incomplete SSRF mitigation in the LiveLinks proxy component, where the isSSRFSafeURL() function performs validation but is vulnerable to DNS TOCTOU attacks. Specifically, DNS rebinding can occur between the validation step and the actual HTTP request, allowing an attacker to redirect requests to internal network endpoints. The issue is addressed in a later commit (8d8fc0cadb425835b4861036d589abcea4d78ee8), but no official patch or advisory is currently provided. The CVSS v3.1 score is 8.6, reflecting high severity with network attack vector, low attack complexity, no privileges required, no user interaction, scope change, and high confidentiality impact.

Successful exploitation of this SSRF vulnerability could allow an attacker to cause the server to send HTTP requests to internal network resources that are otherwise inaccessible, potentially exposing sensitive information or enabling further attacks within the internal network. The vulnerability does not impact integrity or availability directly but has a high confidentiality impact. No known exploits in the wild have been reported at this time.

An updated fix for this vulnerability is available in commit 8d8fc0cadb425835b4861036d589abcea4d78ee8, which addresses the DNS TOCTOU issue in the SSRF validation logic. Since no official vendor advisory or patch link is provided, users should review and apply this commit or later versions that include this fix. Patch status is not yet confirmed through an official advisory; therefore, users should monitor WWBN's official channels for formal patch releases and guidance.