Alta video—1578: Improper Domain Lookup vulnerability in libuv1 could lead to SSRF

Release Date

11th of November 2025.

Overview

A vulnerability was identified in libuv1, used in the Alta Video TURN servers. The uv_getaddrinfo function truncated hostnames to 256 characters without proper null termination before calling getaddrinfo. This could be exploited to craft payloads that resolve to unintended IP addresses, potentially bypassing developer checks. The vulnerability could lead to Server-Side Request Forgery (SSRF) attacks in certain scenarios.

Affected Products

• Alta Video: after 10th of December 2024.

Unaffected Products

• Alta Video: before 10th of December 2024.

• Avigilon Cloud-Native Cameras: all versions.

• Alta Video Cloud: all versions.

Resolution

This issue has been fixed in Alta Video since the 10th of December 2024. Alta Video customers do not need to take any additional action.

Vulnerability Information

• CVE: CVE-2024-24806
• CVSS score: 7.3 (High)
• CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue reported by project maintainers.

Disclosure Timeline

• 10/07/2024 Issue found
• 10/07/2024 Root cause established
• 10/12/2024 Fix identified
• 10/12/2024 Patched Alta Video (Beta upgrade channel) released
• 10/12/2024 Patched Alta Video (Stable upgrade channel) released
• 11/11/2025 Vulnerability publicly disclosed