CVE-2025-32949

MEDIUM

6.5

Descricao

This vulnerability allows any authenticated user to cause the server to consume very large amounts of disk space when extracting a Zip Bomb. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. The yauzl library does not contain any mechanism to detect or prevent extraction of a Zip Bomb https://en.wikipedia.org/wiki/Zip_bomb . Therefore, when using the User Import functionality with a Zip Bomb, PeerTube will try extracting the archive which will cause a disk space resource exhaustion.

Detalhes CVE

Pontuacao CVSS v3.16.5

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosLOW

Interacao do usuarioNONE

Publicado4/15/2025

Ultima modificacao10/21/2025

Fontenvd

Avistamentos honeypot0

Produtos afetados

framasoft:peertube

Fraquezas (CWE)

CWE-409

Referencias

https://github.com/Chocobozzz/PeerTube/releases/tag/v7.1.1(reefs@jfrog.com)

https://research.jfrog.com/vulnerabilities/peertube-archive-resource-exhaustion/(reefs@jfrog.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.