CVE-2025-32944 | THREATINT

Description

The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup.

PUBLISHED Reserved 2025-04-14 | Published 2025-04-15 | Updated 2025-04-15 | Assigner JFROG

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-248 Uncaught Exception

Product status

Default status

unaffected

Any version before 7.1.1

affected

References

github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1 patch

research.jfrog.com/...ities/peertube-archive-persistent-dos/ third-party-advisory

cve.org (CVE-2025-32944)

nvd.nist.gov (CVE-2025-32944)

Download JSON