CVE-2025-32944

The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1	Release Notes
https://research.jfrog.com/vulnerabilities/peertube-archive-persistent-dos/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:framasoft:peertube:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-04-15 13:15

Updated : 2025-10-21 14:34

NVD link : CVE-2025-32944

Mitre link : CVE-2025-32944

CVE.ORG link : CVE-2025-32944

JSON object : View

Products Affected

framasoft

peertube

CWE

CWE-248

Uncaught Exception

{"id": "CVE-2025-32944", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2025-04-15T13:15:55.100", "references": [{"url": "https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://research.jfrog.com/vulnerabilities/peertube-archive-persistent-dos/", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-248"}]}], "descriptions": [{"lang": "en", "value": "The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.\u00a0\u00a0If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup."}, {"lang": "es", "value": "La vulnerabilidad permite que cualquier usuario autenticado provoque el bloqueo persistente del servidor de PeerTube. Si la importaci\u00f3n de usuarios est\u00e1 habilitada (configuraci\u00f3n predeterminada), cualquier usuario registrado puede cargar un archivo para su importaci\u00f3n. El c\u00f3digo utiliza la librer\u00eda yauzl para leer el archivo. Si la librer\u00eda yauzl encuentra un nombre de archivo considerado ilegal, genera una excepci\u00f3n que PeerTube no detecta, lo que provoca un bloqueo que se repite indefinidamente al iniciar."}], "lastModified": "2025-10-21T14:34:03.990", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:framasoft:peertube:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8E26564-C5EB-4B35-9E6B-2B4C4297D307", "versionEndExcluding": "7.1.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}