{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32944", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "state": "PUBLISHED", "assignerShortName": "JFROG", "dateReserved": "2025-04-14T21:01:55.917Z", "datePublished": "2025-04-15T12:50:38.735Z", "dateUpdated": "2025-04-15T13:30:20.412Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com", "defaultStatus": "unaffected", "packageName": "Chocobozzz/PeerTube", "versions": [{"lessThan": "7.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.  If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup."}], "value": "The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.\u00a0\u00a0If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-248", "description": "CWE-248 Uncaught Exception", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2025-04-15T12:50:38.735Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1"}, {"tags": ["third-party-advisory"], "url": "https://research.jfrog.com/vulnerabilities/peertube-archive-persistent-dos/"}], "source": {"discovery": "UNKNOWN"}, "title": "PeerTube User Import Authenticated Persistent Denial of Service", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-15T13:29:49.083370Z", "id": "CVE-2025-32944", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-15T13:30:20.412Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32944", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "state": "PUBLISHED", "assignerShortName": "JFROG", "dateReserved": "2025-04-14T21:01:55.917Z", "datePublished": "2025-04-15T12:50:38.735Z", "dateUpdated": "2025-04-15T13:30:20.412Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com", "defaultStatus": "unaffected", "packageName": "Chocobozzz/PeerTube", "versions": [{"lessThan": "7.1.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.  If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup."}], "value": "The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.\u00a0\u00a0If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-248", "description": "CWE-248 Uncaught Exception", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2025-04-15T12:50:38.735Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1"}, {"tags": ["third-party-advisory"], "url": "https://research.jfrog.com/vulnerabilities/peertube-archive-persistent-dos/"}], "source": {"discovery": "UNKNOWN"}, "title": "PeerTube User Import Authenticated Persistent Denial of Service", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32944", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-15T13:29:49.083370Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-15T13:30:08.419Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:framasoft:peertube:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8E26564-C5EB-4B35-9E6B-2B4C4297D307", "versionEndExcluding": "7.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner.\u00a0\u00a0If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup."}, {"lang": "es", "value": "La vulnerabilidad permite que cualquier usuario autenticado provoque el bloqueo persistente del servidor de PeerTube. Si la importaci\u00f3n de usuarios est\u00e1 habilitada (configuraci\u00f3n predeterminada), cualquier usuario registrado puede cargar un archivo para su importaci\u00f3n. El c\u00f3digo utiliza la librer\u00eda yauzl para leer el archivo. Si la librer\u00eda yauzl encuentra un nombre de archivo considerado ilegal, genera una excepci\u00f3n que PeerTube no detecta, lo que provoca un bloqueo que se repite indefinidamente al iniciar."}], "id": "CVE-2025-32944", "lastModified": "2025-10-21T14:34:03.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "reefs@jfrog.com", "type": "Secondary"}]}, "published": "2025-04-15T13:15:55.100", "references": [{"source": "reefs@jfrog.com", "tags": ["Release Notes"], "url": "https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1"}, {"source": "reefs@jfrog.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://research.jfrog.com/vulnerabilities/peertube-archive-persistent-dos/"}], "sourceIdentifier": "reefs@jfrog.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-248"}], "source": "reefs@jfrog.com", "type": "Primary"}]}

{}

{}