i Exploiting SSRF in video converters – All things in moderation

Exploiting SSRF in video converters


  • dozenz of video formats
  • hundreds of video/audio codecs
  • diffrent bitrates, resolutions, etc.


what is FFmpeg

According wikipedia, FFmpeg is a free software project that produces libraries and programs for handling multimedia data. In a short it’s a tool video converter.

How FFmpeg really works

Look closer to ffmpeg:extension

Play video out.mp4:

HTTP Live Streaming( HLS )

  • Live and on-demand streaming
  • Developed by Apple
  • Support in FFmpeg
  • Docs: https://developer.apple.com/streaming/


A file with the M3U8 file extension is a UTF-8 Encoded Audio Playlist file. They are plain text files that can be used by both audio and video players to describe where media files are located. For more https://www.lifewire.com/m3u8-file-2621956

Make an HTTP request


Read respone

Convert the same above , with content of file heaer.m3u8 like :


Here we are:



Concat:reads a binary stream of data from multiple sources interprets them as if they are from the same source.


File header.y4m located on server localhost/header.y4m


Yesss, It’s work !


  • Solution: FFmpeg protocol whitelist patch
  • With lastest version from > 3.2.2 this vulnerable fixed
  • There are 3 attack vectors you can exploit include: thumbnail, dns or mp4 .
  • The senario simple is upload file video to server support online video converter if it’s using ffmpeg try to exploit



One Response

  1. anon July 24, 2019

Leave a Reply to anon Cancel reply