CVE-2025-32944 (GCVE-0-2025-32944)

Vulnerability from cvelistv5 – Published: 2025-04-15 12:50 – Updated: 2025-04-15 13:30
VLAI?
Summary
The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.  If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Affected: 0 , < 7.1.1 (custom)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32944",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-15T13:29:49.083370Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-15T13:30:20.412Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com",
          "defaultStatus": "unaffected",
          "packageName": "Chocobozzz/PeerTube",
          "versions": [
            {
              "lessThan": "7.1.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.\u0026nbsp;\u0026nbsp;If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup."
            }
          ],
          "value": "The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.\u00a0\u00a0If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-248",
              "description": "CWE-248 Uncaught Exception",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-04-15T12:50:38.735Z",
        "orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
        "shortName": "JFROG"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://research.jfrog.com/vulnerabilities/peertube-archive-persistent-dos/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "PeerTube User Import Authenticated Persistent Denial of Service",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
    "assignerShortName": "JFROG",
    "cveId": "CVE-2025-32944",
    "datePublished": "2025-04-15T12:50:38.735Z",
    "dateReserved": "2025-04-14T21:01:55.917Z",
    "dateUpdated": "2025-04-15T13:30:20.412Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-32944\",\"sourceIdentifier\":\"reefs@jfrog.com\",\"published\":\"2025-04-15T13:15:55.100\",\"lastModified\":\"2025-10-21T14:34:03.990\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.\u00a0\u00a0If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad permite que cualquier usuario autenticado provoque el bloqueo persistente del servidor de PeerTube. Si la importaci\u00f3n de usuarios est\u00e1 habilitada (configuraci\u00f3n predeterminada), cualquier usuario registrado puede cargar un archivo para su importaci\u00f3n. El c\u00f3digo utiliza la librer\u00eda yauzl para leer el archivo. Si la librer\u00eda yauzl encuentra un nombre de archivo considerado ilegal, genera una excepci\u00f3n que PeerTube no detecta, lo que provoca un bloqueo que se repite indefinidamente al iniciar.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"reefs@jfrog.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"reefs@jfrog.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-248\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:framasoft:peertube:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"7.1.1\",\"matchCriteriaId\":\"D8E26564-C5EB-4B35-9E6B-2B4C4297D307\"}]}]}],\"references\":[{\"url\":\"https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1\",\"source\":\"reefs@jfrog.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://research.jfrog.com/vulnerabilities/peertube-archive-persistent-dos/\",\"source\":\"reefs@jfrog.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"affected\": [{\"collectionURL\": \"https://github.com\", \"defaultStatus\": \"unaffected\", \"packageName\": \"Chocobozzz/PeerTube\", \"versions\": [{\"lessThan\": \"7.1.1\", \"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\"}]}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.\u0026nbsp;\u0026nbsp;If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup.\"}], \"value\": \"The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.\\u00a0\\u00a0If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup.\"}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-248\", \"description\": \"CWE-248 Uncaught Exception\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"48a46f29-ae42-4e1d-90dd-c1676c1e5e6d\", \"shortName\": \"JFROG\", \"dateUpdated\": \"2025-04-15T12:50:38.735Z\"}, \"references\": [{\"tags\": [\"patch\"], \"url\": \"https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1\"}, {\"tags\": [\"third-party-advisory\"], \"url\": \"https://research.jfrog.com/vulnerabilities/peertube-archive-persistent-dos/\"}], \"source\": {\"discovery\": \"UNKNOWN\"}, \"title\": \"PeerTube User Import Authenticated Persistent Denial of Service\", \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-32944\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-15T13:29:49.083370Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-15T13:30:08.419Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-32944\", \"assignerOrgId\": \"48a46f29-ae42-4e1d-90dd-c1676c1e5e6d\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"JFROG\", \"dateReserved\": \"2025-04-14T21:01:55.917Z\", \"datePublished\": \"2025-04-15T12:50:38.735Z\", \"dateUpdated\": \"2025-04-15T13:30:20.412Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.